Follow

What do you do if you need to absolutely prevent unprivileged users from listening on ports,
but then you need an aria2c seeding a torrent as root that has to be able to listen on a tcp port?

You tell it to listen below 1024 and whitelist that port in iptables.

But what if aria2c refuses to listen on a port below 1024?

Then you tell it to listen on port below 2048 and set sysctl net.ipv4.ip_unprivileged_port_start = 2048

@noriko ok but I need to seed the squashfs to other diskless machines who boot up...

@Wolf480pl But why do you say you need this? "What do you do if you need to absolutely prevent unprivileged users from listening on ports"

@noriko competitive programming contest.

Contestants come to our place, use computers prepared by us, and we need to make sure each of them writes their solution on their own and doesn't cooperate with other contestants.

@noriko I do. But I can't just drop all new connections in INPUT chain because I need aria2c to accept new connections. So I need to whitelist ports used by aria2c.

But I can't just pick one port, because there may be multiple aria2cs and how many there will be depends on kernel commandline.

And if I whitelist more ports than there is aria2cs, the user will be able to listen on the free ones. Unless they're below ip_unprivileged_port_start.

Alternatively, I could make something that allocates ports at runtime, passes them to subsequent aria2c invocations, and adds them to iptables. But it'd be a pain, because I'd need to do it in initramfs and then pass information to main system through some file, and then firewall.service wouldn't be a single ExecStart=iptables-restore

@Wolf480pl On Linux?

setcap 'cap_net_bind_service=+ep' /usr/local/bin/your-binary

Now you can run your-binary as not-root but it can bind to <1024.

@marek it's running as root anyway.
It just has an annoying if (port < 1024) fail("please specify port > 1024"); somewhere in its code

@marek yeah. But I'm working it around by making ports 1024 to 2048 also require cap_net_bind_service. Luckily there's a sysctl for that.

@Wolf480pl There's probably a seccomp or eBPF-style way of preventing a listen() syscall for all your unprivileged users. Pretty much the same technology as used by containerisation stacks to add more than just a thin veneer of namespace security.

@marek well, I could probably put the whole system after switch_root in a restricted network namespace and only leave that aria2c started from initramfs in the initial network namespace.

But that'd make my initramfs even more complicated.

Sign in to participate in the conversation
niu.moe

Welcome to your niu world ! We are a cute and loving international community O(≧▽≦)O !