Bind web server to port 80 without root

Question

Bind web server to port 80 without root

I wrote my own web server in C. How to connect it to port 80 without root so that security is not compromised (buffer overflow, etc.)?

Should I just redirect traffic from another "stable" server that runs on port 80?

+5

c linux

Frank vilea May 11 '12 at 13:08

source share

5 answers

bind() root, , , , UNIX-, SCM_RIGHTS.

+3

caf 11 '12 13:32

80, root .

bind(sockfd, addr, addrlen);
/* process is running as root, drop privileges after bind*/
if (setgid(groupid) != 0)
    errx(1, "setgid: Unable to drop group privileges: %s", strerror(errno));
if (setuid(userid) != 0)
    errx(1, "setuid: Unable to drop user privileges: %S", strerror(errno));

80 root, ( ..).

root, , . , , root, , - , strcpy(), sprintf() .., strncpy(), snprintf() ..

+2

dwalter 11 '12 13:15

, , 1024 Unix root . Unix root. .

iptables 80 , 8080. , .

Iptables - , , ( ).

+2

Nys 12 '12 6:45

, systemd + iptables - , .

0

Greg Slepak 08 . '14 23:39

ThiefMaster · Accepted Answer · 2012-05-11T13:10:33+0000

Using a direct proxy server is indeed the simplest and most recommended solution. It also has the advantage of filtering terribly invalid requests before they even reach your own written server.
If your application uses the user's IP address for something, be sure to extract it from any header that your web server uses ( X-Client-IPetc.). However, do this only for requests that actually come from your web server, otherwise users may spoof their IP address. You can do this by checking if the request came from your IP address and only check the header in this case or just bind your application to localhost.

CAP_NET_BIND_SERVICE. , root setcap cap_net_bind_service=ep /path/to/the/executable - , .

, setuid root, bind(). , , , - , - , .

Bind web server to port 80 without root

More articles: