Question Details

Browse

allow a application on port UDP/162 as non root

By Patrick Lambooy - Aug. 06, 2009

Hello,

I have a application that is written badly but ok.
The problem is :
The application starts its own listening snmp trap app on port UDP/162

What i want is to allow a user (not root) to start the deamon and let it bind to the port UDP/162.

The original snmptrapd is deactivated.

The only way to do this is to completely deactivate this part of security which i realy dont like, very nasty.

Is there a way with selinux to do this.
Please explain in details because i'm still partly a selinux n00b
sry

The alternative is to let the app run in root which isnt going to happen :-)

I realy hope somebody knows how and if this can be done with selinux after 1 day searching and testing i'm a bit stuk

thnx

Regards,

Patrick Lambooy


Answers

Add Answer

  1. By Randy Clark on Aug. 06, 2009

    Without getting into the details of your app, here are some things you should know:


    1) I do not believe it is possible to 'selectively' privileged ports to become 'unprivileged' so any application can open them.

    2) Like HTTP, sendmail, etc. it is possible to run services listening on privileged ports as non-root users.


    So:


    Have xinit.d start up your application and bind it to the port. Following that, it (xinit.d) will su to the designated user and you should be all set. Apache, for example, defaults to user nobody, typically, but listens on any port specified, including 80. The binding is allowed, but apache does not run as root.


    0 Votes
    Report this

  2. By Jesse Babson on Aug. 06, 2009

    Patrick, @Randy is right.


    In addition, if you are using IPTables, you can set up a forwarding rule.


    I've typically disabled my SELinux - too many apps don't work well, and the protection for my work is minimal. I rely on my firewalls, access controls and other user privileges!!


    0 Votes
    Report this
Share your knowledge

Related Questions

Browse Get answers and share your expertise.