[ Home page ]
This kernel patch restricts what ports a local user can use. The purpose is to allow a user to have a specific range of ports on which they can run daemons. Other users are not able to bind to those ports. Currently, this patch only affects IPv4 (TCP and UDP).
Each user is allocated a range of ports to which they can bind. It is possible to nominate the first few ports as being exclusively for running daemons. This means that they will not be allocated when a "random" port is requested (one that would otherwise come from the ephemeral range). The patch is controlled by an extended version of the ip_local_port_range sysctl/proc interface (/proc/sys/net/ipv4/ip_local_port_range). This is now a list of 6 values:
| 0 | Bottom of ephemeral port range (where ports are allocated for unrestricted users) |
| 1 | Top of ephemeral port range (where ports are allocated for unrestricted users) |
| 2 | Base of restricted port range (b) |
| 3 | Number of ports per user (n) |
| 4 | Minimum restricted user ID (i) |
| 5 | Number of "listeners" (l) |
For a given user with user ID uid, the user will be able to bind to ports: b + (uid - i) * n to b + (uid - i + 1) * n - 1. Ports below b + (uid - i) * n + l will not be allocated for outgoing connections.
The patch is currently available as a diff against RedHat's 2.4.9-31 kernel.
Download: linux-2.4.9-31-user-port-hack.diff
Paul Warren 16/03/2002