Security :: SELinux Allow Non Root User Bind To Port <1024?
Oct 24, 2010
My understanding is SELinux adds type enforcement to standard Linux. This means that both the standard Linux and enhanced SELinux access controls must be satisfied to access an object. Which means that thing that is prevented to do in the normal standard Linux will be also prevented in the SELinux System? Does SELinux make it possible to run a non-root software to bind to a port < 1024? something that standard Linux won't allow? If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables.
View 4 Replies
ADVERTISEMENT
Aug 2, 2011
Have a program, erlang, that needs to bind to a port lower than 1024, as a non-root user. How do you allow that on a system?
View 1 Replies
View Related
May 9, 2010
I am encountering a wierd problem in FC12. When I try to lunch a program that listens to a lower port such as 80 or any one that is less than 1024, I always get "Permission denied" error message (I am running it as root!).Then I try starting httpd service daemon that listens to 80, no errors, the daemon started and listend to 80.PS: I checked selinux, it has been disabled.Do you have any knowledge on this case? BTW, the kernel version is:2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 i686 i386 GNU/Linux
View 5 Replies
View Related
Feb 1, 2011
I'm simply trying to make a little restriction on www packets under two rules:
1. Allow inbound/outbound www packets (works!)
2. DROP inbound traffic to port 80 from source ports less than 1024. (DOES NOT WORK!)
Now, technically, when i use hping to test my rules, hping3 192.168.100.100 -S -p80 -s 1023 I should NOT receive any packets. However, i still receive packets, which means my rule that says less than 1024 does not work. (see below)
And this is my iptables rules in shell-script so far:
#!/bin/sh
DEFAULT_NIC=eth0
SERVER_IP="192.168.100.100"
ALLOWED_WWW_PORT=80
IPT="/sbin/iptables"
[Code].....
View 1 Replies
View Related
Apr 27, 2011
I'll explain this in one sentence: Is it possible to program a port-binding shellcode in which people across the Internet can connect to, without being thwarted by the router blocking their data because the port its bound to doesn't allow port-forwarding
View 2 Replies
View Related
Nov 7, 2010
I want to run a soft that is daemonized, and listens on port 6789. This soft is launched through a php page, so, by the apache user. The probl�me is that the apache user does not has rights to open / listen on a port. I tried to add apache user to the root group, but it won't help. In the application log, I have this every second :
[code]...
I tried to add apache user in the sudoers with a nopasswd but it's still a no go.
View 4 Replies
View Related
Jun 4, 2009
Currently working on the targeted policy, I need a help in doing the following things as quick as possible:
1- How to create a totally new SELinux user (not mapping new linux user to SELinux user) I want a new user with no roles or with a maximum of 1 role. I also need how to compile the new user so I can used it for mapping users. At the time, I've tried creating a new file inside /etc/selinux/targeted/contexts/users similar to the other users inside this directory, but it did not actually seem to appear when using the command semanage to list SELinux users : semanage user -l
2- How to create a totally new SELinux role (empty for now) ? and how to make the relation between this new role and domains or types.
3- How to create new domain, actually following some old instructions I created the .fc and .te files, but not the .if file, which is more complicated than the other 2 file.
View 10 Replies
View Related
Jun 24, 2010
I'm using FC8 and have installed a mailserver(postfix+dovecot),when I trying to enable the selinux mode to enforcing and i'm have some issue, the user authentication failed.if turn the selinux mode to permissive, then it work right.How can i to fix this problem?
View 14 Replies
View Related
Apr 11, 2011
When I confine a user myuser to the type user_u (or staff_u) with the SELinux instruction semanage login -d -s user_u myuser, this user cannot execute OpenOffice.
The error is :type=SYSCALL msg=audit(1302501686.474:8504): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=11bc60 a2=5 a3=802 items=0 ppid=12819 pid=12832 auid=4294967295 uid=505 gid=504 euid=505 suid=505 fsuid=505 egid=504 sgid=504 fsgid=504 tty=pts2 ses=4294967295 comm="soffice.bin" exe="/opt/openoffice.org3/program/soffice.bin"
[code]....
I suppose the problem occurs because I installed the rpm from the OpenOffice repository, not the standard OpenOffice included in FC13. However I prefer to use the rpm version, because of some bugs in the FC13 OpenOffice version. How can I create a policy to allow the execution of libicuuc and other OpenOffice libraries by my confined user ?
View 2 Replies
View Related
Jul 27, 2011
I configured DNS in my server while That time SELINUX enabled means It show permission denied error and some errors, but i checked all the directory permissions and all its every thing correct only but not worked..At last I just disabled the SELINUX then its working fine.I Heard SELINUX is for security for Linux operating systems, but why i disabled means only its working??
View 3 Replies
View Related
Apr 22, 2011
Having trouble adding a regular user with ssh access on Hardy 8.04. I can ssh into root, but not into the newly created regular user with the same ~/.ssh/authorized_keys
Code:
sshd_config has:
AllowGroups sshlogin
AllowUsers user root
[code]....
what could be preventing ssh login to ~user? And yes I would like to disable root ssh access, but it would be nice to be able to ssh into user first
View 4 Replies
View Related
Jun 5, 2010
How do I add root permissions to my user account?
I want full permissions for all computers in my house, without having to get up and go to the other room and change permissions for the file, folder, drive, directory, computer, etc., then go back to the other room again.
I just created a partition, as THIS user, THIS machine, rebooted, and cannot create a folder on the partition I just created. UGH. No more of this stuff... I guess at the very least, I'll still have to log onto each machine for this?
View 12 Replies
View Related
Aug 15, 2010
I am trying to run su as a non privileged user to log in as root. However, this only works when I make /etc/shadow world readable. I have /lib/security/unix_chkpwd as a setuid root executable
I use the following pam-file for su:
Code:
# Begin /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session optional pam_mail.so
[Code]...
View 1 Replies
View Related
Sep 8, 2009
I have a problem, I have installed Fedora 11. And i need to login as root user.
How to do so?
View 14 Replies
View Related
Nov 2, 2009
Can the audit daemon (auditd) be run by a non-root user? I'd like to create a special user who only run the audit daemon. Is that possible?
View 1 Replies
View Related
Jun 10, 2009
Senario is we have a system where root has authorised keys set up so that it can do a passwordless ssh to $WORKSTATION. I then need to run a script on $WORKSTATION as user "bob" and NOT as user "root". I do not want to set up user "bob" to be allowed passwordless ssh so any ideas how I can do this?I have tried variations of (as user "root"):ssh $WORKSTATION "su - bob; ./my_script"
View 5 Replies
View Related
Feb 19, 2010
Stumped on this one. I'm trying to set up limited sudo authority on a desktop with some sensitive user data, and as an extra precaution I wanted to configure sudo to use a password other than the user's or the root's. I'm not sure how to do this. From the manual, we have a few options, such as "runaspw" or "targetpw", but none seem quite what I'm looking for.For instance, "runaspw" could be used if I created a user for nothing other than sudo(ing) purposes, but it requires you set "runas_default", which means that said user would have to have authority to execute said commands in the first place. This is workable, but seems like a lot of extra configuration for each specific command that I want to run, as well as creating some issues with simply commands such as "shutdown" or "reboot". Also, "targetpw" can be used in conjunction with a sudo(ing)-only user if I set an alias, but, again, this isn't quite what I am looking for.
Ultimately, what I am really concerned about in this situation are keystroke loggers, so I would prefer to avoid repeated entering the user or root password when performing administrative tasks. Also, I would prefer not having to create a sudo(ing)-only user as mentioned above to prevent a comprimised password resulting in an attacker being able to log into my system.
View 3 Replies
View Related
Jan 12, 2009
It seem like unix abit annoying every time you log in you need to password can I disable it
View 10 Replies
View Related
Jan 30, 2010
Any Linux machine (except PCLOS) that I log into as root user seems to not start networking. I haven't tried sudo /etc/init.d/networking restart , to see if it does start, because anytime I DO this, it's for 'local' work. How about default root user configuration settings???
View 2 Replies
View Related
Jun 20, 2011
i want to know the risk with auto mounting flash drive as a root user,if for example there is a Usb Flash drive inserted into the system and we login into root unknowingly, and this flash drive contains an autorun script which calls a new script that can place viruses in your system, since you are in the root it will not even prompt for password and if the script is fast enough you will not even see it executing.
View 7 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
Nov 26, 2009
I get the problem to acess root password when i am in user login, means wahen i am in user login and want to install software from terminal then he asked root password, when i supplied root password but he give me login incorrect.
View 2 Replies
View Related
Mar 3, 2010
I'm using Gnome and I'd like to still have the ability to reboot/shutdown from one particular account as well as root. How would I modify the chmod command to add this ability?Also, I have a few users who just will hold the power button in to shutdown the machine. How can I keep them from doing this?// Pruned from the vintage 2007 Prevent a non-root user from shutting down, rebooting or suspend the system thread. Please create new threads instead of resurrecting ancient ones.
View 2 Replies
View Related
Aug 10, 2010
I have a problem with sshd daemon on a target linux system:The system has only one user (root) without password.The sshd_config looks like:
Code:
Port 22
Protocol 2
[code]...
View 8 Replies
View Related
Dec 18, 2010
I have tried to not allow root access and have created a wheel user.
Now I can not logged in as root.
Its okay but when am logging as wheel user and trying to access root then it says:
Code:
View 14 Replies
View Related
May 24, 2011
In our group we use NIS and have a group set up called netadmin which is given root privileges on each machine. Each machine also has a localuser called localuser created and used during installation. When logged in as a member of netadmin, attempting any action that requires root privileges (e.g. installing software in Ubuntu Software Center) results in a prompt asking for localuser's password, not the current user's password.
Does anyone know the cause? Configuration issue or Ubuntu issue? We can get around it.
View 2 Replies
View Related
Jul 14, 2009
When I go to single user mode for resetting root password, It ask root pawssword for login.The message displayed on prompt is "Give root password for login.On the boot prompt, I select kernel and press 'e' and after one space type 1 for single User mode and then press 'b' for booting.It shows message entering in single user mode but ask root password. Even I tried into rescue mode, but I couldn't ser root password.In rescue mode on prompt, It shows rescue login: I typed root, But when typed 'passwd' foe resetting root pawssword,It shows message unknown user and not authetication.
View 1 Replies
View Related
Jul 13, 2010
I am learning SELinux from LinuxCBT and I'm stuck at one place. Now video is on RHEL 4 (so tell me if things has changed since, cause I can't find anything related) shows how to disable SELinux security on httpd.first I don't know diff between initrc_t and uncofined_t; and second I don't know if something is wrong is everything is all right.
View 1 Replies
View Related
Oct 28, 2009
Is It possible to change a process running in root-user to non-root-user by setting suid / uid / euid / gid etc... I so please instruct how, when and wat to set in order to change a process running in root-user to non-root user
View 4 Replies
View Related
Jan 31, 2016
Is is possible, via iptables or something similar, to bind a service running on a specific port to a specific interface? My case: I use a VPN service for privacy. I would like to have all traffic except ftp and ssh to run over tun0. Ports 21 and 22 will need to be accessible to the outside world (eth0) while the VPN is running.
View 3 Replies
View Related
