This is more idle curiosity than anything else. A friend of mine asked me ‘which port range is it that only root can use under Linux?’ I told him 0-1024 were restricted. Then he asked my why it was so and… I was at a loss. No idea whatsoever.
Is there a reason why these ports are restricted and 1025-65535 are not?
Most major network services (HTTP, FTP, SSH, Telnet, HTTPS, POP, SMTP, etc) are in this range so possible answers I thought of:
- An untrusted user could run a program that listened on these ports for logon details.
- An untrusted user could run an unauthorized server application.
Can anyone shed light here?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Suppose you’re exchanging data with a computer on a port <1024, and you know that computer is running some variant of unix. Then you know that the service running on that port is approved by the system administrator: it’s running as root, or at least had to be started as root.
On the wide, wild world of the Internet, this doesn’t matter. Most servers are administered by the same people as the services running on them; you wouldn’t trust the roots more than the other users.
With multiuser machines, especially on a local network, this can matter. For example, in the days before civilian cryptography, a popular method of running shell commands on another machine was rsh (remote shell); you could use password authentication, or you could authenticate just by proving you were user X on machine A (with machine B knowing that [email protected] could log in as [email protected] with no password). How to prove that? The rsh client is setuid root, and uses a port number <1024, so the server knows that the client it’s talking to is trustworthy and won’t lie as to which user on A is invoking it. Similarly NFS was designed to be transparent with respect to users and permissions, so a common configuration was that on a local network every machine used the same user database, and user N at A mounting filesystems from server B would get the permissions of user N at B. Again, the fact that the NFS client is coming from a port number <1024 proves that root at A has vetted the NFS client, which is supposed to make sure that if it transmits a request purporting to be from user N then that request really is from user N.
Unauthorized users not being able to run servers on low ports is another benefit, but not the main one. Back in the days, spoofing was quite the novelty and users running spoof servers would be quickly quashed by vigilant administrators anyway.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0