Open In App

How to bind to port number less than 1024 with non root access?

Improve
Improve
Like Article
Like
Save
Share
Report

Why are the first 1024 ports restricted to the root user only?

Binding is an integral step for server side socket. It’s like providing some address to end-user (server). So, we assign an IP address and a port number for running a server. But we can not provide any random port number to a server. The port numbers from 1 to 1023 are restricted for root user only and we can not assign those ports without having root access.

The reason behind this restriction is that most major network services like HTTP, FTP, SSH, Telnet, POP etc. runs in this range. So, if any one is allowed to run on those port, following circumstances may arise :

  • An untrusted user could run a program that listened on these ports for login (access) details.
  • An untrusted user could run an unauthorized server application.

Below program verifies the fact that port numbers from 1 to 1023 are restricted for root access.

We use bind() function which returns 0 on success and -1 on failure. We call bind in a loop for different port numbers until it returns 0.




// Server side C program to demonstrate
// that we can not assign port number less
// than 1024 without root access
#include<stdio.h>
#include<arpa/inet.h>
  
int main()
{
    int server = socket(AF_INET, SOCK_STREAM, 0);
    if (server < 0)
        printf("Error in server creating\n");
    else
        printf("Server Created\n");
  
    struct sockaddr_in my_addr, peer_addr;
    my_addr.sin_family = AF_INET;
    my_addr.sin_addr.s_addr = INADDR_ANY;
    my_addr.sin_addr.s_addr = inet_addr("10.32.40.213");
    int b = 1, i = 0;
    while (b)
    {
        i++;
  
        // Assigning every port number starting
        // from one to check
        // if it is able to bind properly or not
        my_addr.sin_port = htons(i);
  
        // On correct binding, it return 0
        // and so 0 in b will terminate loop
        b = bind(server, (struct sockaddr*) &my_addr,
                                    sizeof(my_addr));
    }
    printf("Binded Correctly on port number %d\n", i);
}


Output:

Server Created
Binded Correctly on port number 1024

How to allow non root access to bind below port number 1024?

But there are two method by which we can assign port number less than 1024 without having root privilege :

  1. Method 1 : Using CAP_NET_BIND_SERVICE to grant low-numbered port access to a process :
    For this, we just need to run following command in terminal :

    sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary
  2. Method 2 : Using authbind to grant one-time access, with finer user/group/port control. Let we have to assign port number 80. For this, following steps required :
    • Install authbind using any package manager
    • Run following two commands one by one in terminal :
      sudo touch /etc/authbind/byport/80
      sudo chmod 777 /etc/authbind/byport/80

      Here, 80 is given in end of command as we are attempting to assign port number 80.

    • Now execute following command in terminal
      authbind --deep /path/to/binary command line args



Last Updated : 26 Sep, 2017
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads