search

ef-gy / blog

A blog on computer science, linear algebra and awesomesauce in general
http://ef.gy/
MIT License
6 stars 0 forks source link

"Forwarding IPv4 Ports to IPv6-only Hosts" wrong information #2

Open Thermi opened 8 years ago

Thermi commented 8 years ago

In the article "forwarding-ipv4-to-ipv6" , you're writing the following:

Only drawback is that we have to run socat as root because port 22 is one of those 'special' ports only root can open... ah well, can't have everything.

That's wrong. if you run socat with CAP_NET_BIND_SERVICE, you can bind to that port just fine, without running it as root. That's what man 7 capabilities says about CAP_NET_BIND_SERVICE:

       CAP_NET_BIND_SERVICE
              Bind  a socket to Internet domain privileged ports (port numbers
              less than 1024).

The proper thing to do in that case would be to run that particular instance of socat as a system service as an unprivileged user, but with the CAP_NET_BIND_SERVICE capability. That could be easily done using a systemd unit file. Setting the capability on the file would be a very bad idea.

EffinMaggie commented 8 years ago

Hey Thermi,

Good point, though that's entirely Linux-specific and doesn't work like that on BSDs. I'd be happy to amend it, unless you want to send a pull request :).

Thermi commented 8 years ago

I'll let you do the honors. I guess one can use capsicum to achieve the same thing on FreeBSD. I'm not aware of something similiar for other 'BSDs.