Allowing access to low-order ports on Solaris.

  • 3544831
  • 01-Jun-2007
  • 25-May-2012

Environment

Solaris 10

Situation

It is a good rule to have as few processes running with root or administrative privileges as possible. When it is not possible to overcome this then significant protections are put in place to do as little with those privileges as possible. This is done largely for security reasons in the event of an attack which can take over the process and, thus, the entire box.

Some privileges which are restricted to root are needed for services which do not need all of the capabilities of an administrator. One such privilege is the ability to create a listening socket on a port lower-than 1024.

Resolution

As of Solaris 10 is it possible to give regular users an extra'net_privaddr' flag to allow them to create a socket on a low port. This means that services which would otherwise need to be started with root privileges can now run as any other user and still work listening to, for example, port 25 (mail), 524 (eDirectory), 22 (Secure Shell (SSH)), etc. This feature is one of a few which are part of Role Based Access Control (RBAC) in Solaris 10.

As of the time of this writing (2007-06-01) this functionality is not available on previous versions
of Solaris. This may be available on other Unix/Linux variants as well depending on version.

Additional Information

http://www.sun.com/bigadmin/features/articles/least_privilege.html
http://blogs.sun.com/Snjezana/entry/running_glassfish_on_port_80
http://docs.sun.com/app/docs/doc/819-5899/6n7uuth9q?a=view

If documentation on this functionality is found for other platforms please submit feedback with references.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.