How to bind to a privileged port from a non-root process, on a Synology NAS
up vote
5
down vote
favorite
I want to run a custom DNS server (NxFilter to be precise) on a Synology DS115j NAS, which of course binds on port 53. This works when running as root, but I want to lock down the process now.
This NAS runs a busybox flavor of linux (using DSM5 in Synology parlance). I have installed Java with the Java Manager Package. Now, I look for a way to run the java process under a non-root account, while still allowing it to bind to the privileged Port 53.
I have looked into this great answer: https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443 but this does not work on my Synology box. I neither have setcap nor authbind available.
So the question is: How to specifically allow a process/binary to bind to a privileged port on a busybox linux?
root busybox bind nas synology
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
asked Jan 1 '17 at 12:29
hitchhiker
1262
add a comment |
up vote
5
down vote
favorite
I want to run a custom DNS server (NxFilter to be precise) on a Synology DS115j NAS, which of course binds on port 53. This works when running as root, but I want to lock down the process now.
This NAS runs a busybox flavor of linux (using DSM5 in Synology parlance). I have installed Java with the Java Manager Package. Now, I look for a way to run the java process under a non-root account, while still allowing it to bind to the privileged Port 53.
I have looked into this great answer: https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443 but this does not work on my Synology box. I neither have setcap nor authbind available.
So the question is: How to specifically allow a process/binary to bind to a privileged port on a busybox linux?
root busybox bind nas synology
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
asked Jan 1 '17 at 12:29
hitchhiker
1262
add a comment |
up vote
5
down vote
favorite
up vote
5
down vote
favorite
I want to run a custom DNS server (NxFilter to be precise) on a Synology DS115j NAS, which of course binds on port 53. This works when running as root, but I want to lock down the process now.
This NAS runs a busybox flavor of linux (using DSM5 in Synology parlance). I have installed Java with the Java Manager Package. Now, I look for a way to run the java process under a non-root account, while still allowing it to bind to the privileged Port 53.
I have looked into this great answer: https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443 but this does not work on my Synology box. I neither have setcap nor authbind available.
So the question is: How to specifically allow a process/binary to bind to a privileged port on a busybox linux?
root busybox bind nas synology
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
asked Jan 1 '17 at 12:29
hitchhiker
1262
I want to run a custom DNS server (NxFilter to be precise) on a Synology DS115j NAS, which of course binds on port 53. This works when running as root, but I want to lock down the process now.
This NAS runs a busybox flavor of linux (using DSM5 in Synology parlance). I have installed Java with the Java Manager Package. Now, I look for a way to run the java process under a non-root account, while still allowing it to bind to the privileged Port 53.
I have looked into this great answer: https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443 but this does not work on my Synology box. I neither have setcap nor authbind available.
So the question is: How to specifically allow a process/binary to bind to a privileged port on a busybox linux?
root busybox bind nas synology
root busybox bind nas synology
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
asked Jan 1 '17 at 12:29
hitchhiker
1262
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
asked Jan 1 '17 at 12:29
hitchhiker
1262
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
edited Dec 7 at 23:34
Rui F Ribeiro
38.7k1479128
38.7k1479128
asked Jan 1 '17 at 12:29
hitchhiker
1262
asked Jan 1 '17 at 12:29
hitchhiker
1262
asked Jan 1 '17 at 12:29
hitchhiker
1262
1262
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
Do you have access to iptables, I vaguely remember that the Synology NAS boxes do? If so you can put a redirect in with this:-
iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 7000 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 7000
Line 1 adds an opening to port 53
Line 2 adds an opening to port 7000 which is what you should set your java app to use
Line 3 adds a redirect that any traffic inbound on port 53 gets directed to port 7000.
Hope that helps
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
answered Jul 4 '17 at 10:09
David
214
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f334098%2fhow-to-bind-to-a-privileged-port-from-a-non-root-process-on-a-synology-nas%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Do you have access to iptables, I vaguely remember that the Synology NAS boxes do? If so you can put a redirect in with this:-
iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 7000 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 7000
Line 1 adds an opening to port 53
Line 2 adds an opening to port 7000 which is what you should set your java app to use
Line 3 adds a redirect that any traffic inbound on port 53 gets directed to port 7000.
Hope that helps
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
answered Jul 4 '17 at 10:09
David
214
add a comment |
up vote
2
down vote
Do you have access to iptables, I vaguely remember that the Synology NAS boxes do? If so you can put a redirect in with this:-
iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 7000 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 7000
Line 1 adds an opening to port 53
Line 2 adds an opening to port 7000 which is what you should set your java app to use
Line 3 adds a redirect that any traffic inbound on port 53 gets directed to port 7000.
Hope that helps
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
answered Jul 4 '17 at 10:09
David
214
add a comment |
up vote
2
down vote
up vote
2
down vote
Do you have access to iptables, I vaguely remember that the Synology NAS boxes do? If so you can put a redirect in with this:-
iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 7000 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 7000
Line 1 adds an opening to port 53
Line 2 adds an opening to port 7000 which is what you should set your java app to use
Line 3 adds a redirect that any traffic inbound on port 53 gets directed to port 7000.
Hope that helps
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
answered Jul 4 '17 at 10:09
David
214
Do you have access to iptables, I vaguely remember that the Synology NAS boxes do? If so you can put a redirect in with this:-
iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 7000 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 7000
Line 1 adds an opening to port 53
Line 2 adds an opening to port 7000 which is what you should set your java app to use
Line 3 adds a redirect that any traffic inbound on port 53 gets directed to port 7000.
Hope that helps
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
answered Jul 4 '17 at 10:09
David
214
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
edited Jul 4 '17 at 10:58
Romeo Ninov
5,11231827
5,11231827
answered Jul 4 '17 at 10:09
David
214
answered Jul 4 '17 at 10:09
David
214
answered Jul 4 '17 at 10:09
David
214
214
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f334098%2fhow-to-bind-to-a-privileged-port-from-a-non-root-process-on-a-synology-nas%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
