1

I have written a program in C++ which uses sockets to talk to a windows7 machine.

I have run the code as the root user and everything works fine. However I don't want to end up running the program as root, for security reasons.

First I made a new user to run the program in, but it wouldn't let the user start a new socket, so I added the user to the root group and tried again, but Redhat will not let me start a new socket as anything but the root user.

I have tried this with the firewall disabled just to rule it out, and still no luck.

So, do any of you have an idea as to what permissions/groups should I change/add?

I have looked around online and found that:

/usr/sbin/setsebool -P httpd_can_network_connect=1

Is suggested as a possible cure, but it doesn't seem to help me.

Andy
  • 13
  • 2
  • Before we go crazy over selinux, what does your audit log say about the attempt? What does your program say (you did check return values, right?) – DerfK Aug 09 '11 at 15:44

2 Answers2

1

but Redhat will not let me start a new socket as anything but the root user.

Then you must have a very restrictive SELinux policy set up.

Are you sure it just won't let you create a listening socket using a port number of less than 1024?

edit

If the port number is not below 1024, then it's the SELinux policy. You should be seeing entries logged in /var/log/messages saying it is being denied.

To allow...

 /usr/sbin/semanage port -a -t <SEType> -p tcp 51717

Where is the type being reported in the log or use http_port_t to add it into the http type. See this page for an example

symcbean
  • 21,009
  • 1
  • 31
  • 52
1

What port are you binding to?

Binding to TCP ports lower than 1024 is restricted to root.

You can drop root privilege after binding the socket in your program, or alternatively use a workaround like an iptables redirect or authbind; there's some good discussion of the many options in this question on Stack Overflow.

Community
  • 1
Shane Madden
  • 114,520
  • 13
  • 181
  • 251