Written by Daniel O'Sullivan | 11/13/2023

Privileged ports for normal users via authbind

Authbind is a utility that allows non-root users to bind to ports numbered less than 1024. Traditionally, on Unix-like systems, these lower-numbered ports are reserved for the root user, which can be a security risk because services that require these ports must either run as root or be granted specific permissions. This is where Authbind comes into play, providing a secure alternative.


When installed on a Linux system, Authbind allows system administrators to assign the capability to bind to these privileged ports to specific users. This is achieved through a simple configuration, where the admin creates files within /etc/authbind/byport/ that correspond to the port numbers the non-root user needs access to. The ownership and permissions of these files determine which users or groups are allowed to bind to the port.

The typical usage of Authbind involves prefixing the command that starts the service with authbind. For example, if a user wants to start a web server that listens on port 80, they would use a command like authbind --deep .

Authbind is particularly useful in environments such as root servers, virtual machines (VMs), or virtual private servers (VPS), where you might run multiple services that require privileged ports but want to minimize the number of processes running as the root user for security reasons. By leveraging Authbind, administrators can ensure that services only have the minimum necessary privileges, reducing the risk of privilege escalation attacks if a service is compromised.

Installation

Let's make use of this for a litte example. Maybe we want to start a webserver on port 80 and 443 as a normal user:

At first, install authbind

Debian for example:

apt-get install authbind


Configuration

Then go on as root user and tell authbind to allow unprivileged user joe to run a program that makes use of ports 80 and 443:

touch /etc/authbind/byport/80
touch /etc/authbind/byport/443
chown joe /etc/authbind/byport/80
chown joe /etc/authbind/byport/443
chmod 755 /etc/authbind/byport/80
chmod 755 /etc/authbind/byport/443


Using authbind with your application:

Whenever you want the user joe to run a program that binds to port 80 or 443, you prefix the command with authbind. For example, if you are running a Node.js app:

authbind --deep node server.js

Here, --deep allows programs launched by your program (like child processes) to also bind to the privileged port.


This is a nice method to run programs on lower ports without letting that software run as root. Nowadays established webservers like apache or nginx drop their root privileges after startup anyway. But maybe you can make use of that technique for a new kind of server that you do NOT want to run as root, because you do not trust it too much and you do not want to create attack surfaces for the whole system.