Run NSO as Non-Privileged User

Run NSO as non-root user.

A common misfeature found on UNIX operating systems is the restriction that only root can bind to ports below 1024. Many a dollar has been wasted on workarounds and often the results are security holes.

Both FreeBSD and Solaris have elegant configuration options to turn this feature off. On FreeBSD:

# sysctl net.inet.ip.portrange.reservedhigh=0

The above is best added to your /etc/sysctl.conf.

Similarly, on Solaris, we can just configure this. Assuming we want to run NSO under a non-root user ncs. On Solaris, we can do that easily by granting the specific right to bind privileged ports below 1024 (and only that) to the ncs user using:

# /usr/sbin/usermod -K defaultpriv=basic,net_privaddr ncs

And check that we get what we want through:

# grep ncs /etc/user_attr
ncs::::type=normal;defaultpriv=basic,net_privaddr

Linux doesn't have anything like the above. There are a couple of options on Linux. The best is to use an auxiliary program like authbind (http://packages.debian.org/stable/authbind) or privbind (http://sourceforge.net/projects/privbind/).

These programs are run by root. To start NCS under e.g., privbind, we can do:

# privbind -u ncs /opt/ncs/current/bin/ncs -c /etc/ncs.conf

The above command starts NSO as the user ncs and binds to ports below 1024.

PreviousSecurity Issues NextIPv6 on Northbound Interfaces

Last updated 1 year ago

Was this helpful?