Root free httpd on Solaris

by Mads
September 19, 2006 at 21:21 | categories: httpd, security, solaris

As I was playing around with Sun Studio 11 and trying out different compile options on httpd I bumped into the old problem of not being allowed to bind port 80. In usual circumstances I'd just switch to a port above 1024, but why not use Solaris privileges instead?

The usual error:
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80

Finding the missing privilege:
# ppriv -eD ./httpd -k start

httpd[12474]: missing privilege "net_privaddr" (euid = 100, syscall = 232) needed at tcp_bind+0x631

As root add the missing privilege:
# usermod -K defaultpriv=basic,net_privaddr apache
# grep apache /etc/user_attr
apache::::type=normal;defaultpriv=basic,net_privaddr

Start httpd as the apache user and you're done.

Of course there's a lot more to it than just handing out privileges, but you can find much more in the Roles, Rights Profiles, and Privileges section of the System Administration Guide: Security Services