非root用户运行服务在低于1024端口得解决方案

文本

I'm not sure what the other answers and comments here are referring to. This is possible rather easily. There are two options, both which allow access to low-numbered ports without having to elevate the process to root:

Option 1: Use CAP_NET_BIND_SERVICE to grant low-numbered port access to a process:

With this you can grant permanent access to a specific binary to bind to low-numbered ports via the setcap command:

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/binarce

centOS 用下面命令：

sudo setcap cap_net_bind_service=+ep `readlink -f \`which node\``

For more details on the e/i/p part, see cap_from_text.

After doing this, /path/to/binary will be able to bind to low-numbered ports. Note that you must use setcap on the binary itself rather than a symlink.

Option 2: Use authbind to grant one-time access, with finer user/group/port control:

The authbind (man page) tool exists precisely for this.

Install authbind using your favorite package manager.

Configure it to grant access to the relevant ports, e.g. to allow 80 and 443 from all users and groups:

sudo touch /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 777 /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/443

Now execute your command via authbind (optionally specifying --deep or other arguments, see the man page):
```
authbind --deep /path/to/binary command line args
```
E.g.
```
authbind --deep java -jar SomeServer.jar
```

There are upsides and downsides to both of the above. Option 1 grants trust to the binary but provides no control over per-port access. Option 2 grants trust to the user/group and provides control over per-port access but older versions supported only IPv4 (since I originally wrote this, newer versions with IPv6 support were released).

设置

内容目录