Bind port under 1024

[pipehappy]

Hi, there

I try to set up a Jenkins on port 80 but fail. Through some search, it turns out that there is a policy that only root can bind to ports under 1024. Is this true?

And a link shows that this limitation can be turned off by adding

net.inet.ip.portrange.reservedhigh=0

to /etc/sysctl.conf.

I assume this means to give every user the ability to bind to any port. I wonder if there is something in middle, like only allowing users from a list of groups to bind?

 

[DutchDaemon]

I try to set up a Jenkins on port 80 but fail. Through some search, it turns out that there is a policy that only root can bind to ports under 1024. Is this true?

Yes.

And a link shows that this limitation can be turned off by adding

net.inet.ip.portrange.reservedhigh=0

to /etc/sysctl.conf.

Don't. Do not.

I assume this means to give every user the ability to bind to any port. I wonder if there is something in middle, like only allowing users from a list of groups to bind?

Use something like security/sudo.

 

[pipehappy]

Thanks for the clear answer!

For sudo, what's the conventional way to do this? I suppose it's not wise give user jenkins all power like

jenkins ALL=(ALL) NOPASSWD: ALL

Then which script/command I should give the privilege to? something like

/usr/local/etc/rc.d/jenkins

 

[pipehappy]

Emm. Still cannot figure out how this works...

When boot, root run /usr/local/etc/rc.d/jenkins and in it, it run real binary as user jenkins via su. Then what privilege should I give it? The line

jenkins ALL=(ALL) NOPASSWD: ALL

seems meaningless.

I checked Apache and realize Apache knows this effective/real user id stuff. Root run Apache as root and later on Apache change its real user to www. I guess it's standard way for *nix daemons but probably Jenkins doesn't have this knowledge. This seems lead to the solution that put Jenkins behind Apache and let Apache handle port 80 and do port forwarding to 8180 Jenkins listens on. Is this people usually do?

 

[tobik@]

This seems lead to the solution that put Jenkins behind Apache and let Apache handle port 80 and do port forwarding to 8180 Jenkins listens on.

You could use pf or ipfw instead to redirect port 80 to 8180. There are examples in pf.conf(5) (under TRANSLATION EXAMPLES) for this.

 

[junovitch@]

Don't use sudo(8) for this. Restricted binding to ports < 1024 is standard UNIX networking. Most daemons use root privileges and then either drop privileges or spawn unprivileged worker processes. Your options are either to use a firewall as tobik mentioned above, use Nginx or Apache as a reverse proxy to forward to Jenkins running on a high numbered port on 127.0.0.1, or use mac_portacl(4) policy to allow just the Jenkins process to bind to port 80 as a normal user.