Search code examples
linuxsecuritydebianbind9

How can "named" service listen on port 53 without being privileged?

I launched named service with unprivileged account on my debian with:

useradd named
chown -R named:named /etc/bind/
named -u named

which is supported and it works. But i started to wonder how can normal user "named" listen on port 53 without being a root?

What I checked already on my debian:

  • no changes in kernel parameters (net.ipv4.ip_unprivileged_port_start = 1024)
  • no suid root on named binary (-rwxr-xr-x 1 root root 546K 09-21 19:33 /usr/sbin/named)
  • no redirects in IPTABLES (iptables -L -v -n EMPTY)
  • no capabilites on named binary (getcap /usr/sbin/named EMPTY)

please let me know how does it work as i cant listen on privileged port on normal account in my debian.

Solution

  • With setcap, it's possible to add capabilities like CAP_NET_BIND to be able to bind on port 53 as user.

    That's what is used in bind9 aka named:

    git clone https://github.com/isc-projects/bind9.git
cd bind9
ack CAP_NET

    gives:

    bin/named/os.c
152:    SET_CAP(CAP_NET_BIND_SERVICE);
213:    SET_CAP(CAP_NET_BIND_SERVICE);

    from man 7 capabilities:

    CAP_NET_BIND_SERVICE
    Bind a socket to Internet domain privileged ports (port numbers less than 1024).

    Linux kernel capabilities are a feature of the operating system that allow the traditional superuser (root) privileges to be broken down into smaller, more manageable units, which can be assigned individually to processes. Instead of granting a process all the privileges by giving it the UID (User ID) 0 (root), you can assign only the specific capabilities it needs to operate properly. This reduces the security risk associated with running processes with full superuser privileges.

    How Capabilities Work

    The Linux kernel divides privileges into a set of distinct capabilities, each controlling a specific aspect of the system. For example, the capability CAP_NET_BIND_SERVICE allows a process to bind to a network port numbered below 1024, and CAP_DAC_OVERRIDE allows overriding discretionary access controls like file permissions.

    Assigning Capabilities

    Capabilities can be assigned in several ways:

    • At runtime: When a program is executed, it can be granted specific capabilities through mechanisms like setcap or by a init system that supports capability assignments.
    • On executable files: Using setcap, you can assign capabilities directly to an executable file. When the file is executed, the process inherits the assigned capabilities.

    Managing Capabilities

    • Ambient Capabilities: Introduced in recent kernel versions, they allow preserving capabilities across execve system calls, making it easier to use capabilities in environments where binaries need to maintain their privileges after being launched by non-privileged users.
    • Bounding Set: This is the set of capabilities that a process can use. It limits the capabilities that a process can acquire, even if the process changes executables.
    • Inheritable, Effective, and Permitted Sets: A process has three sets of capabilities (inheritable, effective, and permitted) that determine how capabilities are inherited when new processes are executed and which capabilities are actually usable.

    Benefits of Using Capabilities

    • Enhanced Security: By limiting the privileges of processes to only what is necessary, the potential attack surface is reduced.
    • Flexibility: System administrators can fine-tune access rights without granting full root access.
    • Reduced Risk: Even if a process with specific capabilities is compromised, the potential impact is less compared to a process running with full root privileges.

    Capabilities thus provide a more granular and secure method of privilege management on modern Linux systems, allowing for better control and limitation of process rights.