By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,546 Members | 1,382 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,546 IT Pros & Developers. It's quick & easy.

Socket access to low numbered ports?

P: n/a
I wrote a python program on windows which needs to listen for
connections on a low numbered port which works fine on windows but on
linux you need to be *root* in order to listen for connections on port
numbers below 1024.

I really don't want to run my program as root because that would give it
unnecessary access to the whole of the system.

Has anyone got any suggestion on the best way to allow my program to
listen on those socket without runing as root when doing anything else?
Ideally I want this to be portable so the same program still runs on
windows.
Jul 18 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
John Burton wrote:
Has anyone got any suggestion on the best way to allow my program to
listen on those socket without runing as root when doing anything else?
Ideally I want this to be portable so the same program still runs on
windows.


The standard practice is to make the program setuid, be root just long
enough to bind to the socket, then change to an unprivileged user (like
"daemon"). The idea is to run as little code as root as possible.

You can make a program suid root like this:

# chown root.root myprog.py
# chmod a+s myprog.py

And you can change users in Python like this:

----------------
import os
os.setreuid(2, 2)
----------------

UID 2 is normally the daemon user. If you want to use a different user
you can refer to the /etc/passwd file.

You may also want to run as the user who spawned the program in the
first place:

----------------
import os
uid = os.getuid() # Gets the "real" UID

# Do your socket binding

os.setreuid(uid, uid)
----------------

Hope this helps.

Dan Boitnott
da*@lclinux.org
Jul 18 '05 #2

P: n/a
Dan Boitnott wrote:
John Burton wrote:
Has anyone got any suggestion on the best way to allow my program to
listen on those socket without runing as root when doing anything else?
Ideally I want this to be portable so the same program still runs on
windows.

The standard practice is to make the program setuid, be root just long
enough to bind to the socket, then change to an unprivileged user (like
"daemon"). The idea is to run as little code as root as possible.

You can make a program suid root like this:

# chown root.root myprog.py
# chmod a+s myprog.py

And you can change users in Python like this:

----------------
import os
os.setreuid(2, 2)
----------------

UID 2 is normally the daemon user. If you want to use a different user
you can refer to the /etc/passwd file.

You may also want to run as the user who spawned the program in the
first place:

----------------
import os
uid = os.getuid() # Gets the "real" UID

# Do your socket binding

os.setreuid(uid, uid)
----------------

Hope this helps.


Well it does - thanks for that - except that setting the set uid bit on
the script doesn't seem to actually work. This is on gentoo linux.
Jul 18 '05 #3

P: n/a
John Burton wrote:
Dan Boitnott wrote:
> John Burton wrote:
>

Well it does - thanks for that - except that setting the set uid bit on
the script doesn't seem to actually work. This is on gentoo linux.


Indeed it doesn't. You have to use a wrapper of some sort. Google should
help you on finding one.
Jul 18 '05 #4

P: n/a
Tuure Laurinolli wrote:
John Burton wrote:
Dan Boitnott wrote:
> John Burton wrote:
> Well it does - thanks for that - except that setting the set uid

bit on
the script doesn't seem to actually work. This is on gentoo linux.

Indeed it doesn't. You have to use a wrapper of some sort. Google should
help you on finding one.


Ok, I'm now using sudo to launch the application which just opens the
listening sockets and then calls os.setuid to set the uid back to an
unprivilaged account.

It seems to work fine.

Thanks for the help.
Jul 18 '05 #5

P: n/a
John Burton <jo*********@jbmail.com> writes:
Ok, I'm now using sudo to launch the application which just opens the
listening sockets and then calls os.setuid to set the uid back to an
unprivilaged account.


That's how Apache does it too, more or less. Another method under
Linux is have a separate process that opens the low ports, and use an
AF_UNIX socket to pass the low ports back to your application through
ancillary messages. That requires a patch to the socket module, which
I'll see about coding up. I currently have a Sourceforge bug
(#815869) open for it.
Jul 18 '05 #6

P: n/a
Paul Rubin wrote:
John Burton <jo*********@jbmail.com> writes:
Ok, I'm now using sudo to launch the application which just opens the
listening sockets and then calls os.setuid to set the uid back to an
unprivilaged account.

That's how Apache does it too, more or less. Another method under
Linux is have a separate process that opens the low ports, and use an
AF_UNIX socket to pass the low ports back to your application through
ancillary messages. That requires a patch to the socket module, which
I'll see about coding up. I currently have a Sourceforge bug
(#815869) open for it.


The advantage of the original approach is that I want this to be
portable back to windows and the code can be the same except that it
doesn't do the the os.setuid on windows. This idea, while interesting,
would be harder to make portable I think.
Jul 18 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.