SFTPPlus Documentation

5.3. Services

5.3.1. Listening on ports below 1024 on Linux and Unix

Under normal circumstances the default configuration for a Linux or Unix operating system is to only allow the root account to listen on ports below 1024.

Yet, with extra configuration it is possible for normal (non-root) accounts to listen to ports below 1024.

One generic method which works on any Linux or Unix version is to set up SFTPPlus to listen on a port above 1024 and then to set up the firewall port-forwarding.

Another method is to use the privileges framework provided by each operating system. The required configuration is specific to each operating system. In this section, our goal is to guide you through this configuration process. We do not aim to provide a comprehensive documentation for each operating system. For more details, please consult the dedicated documentation available for each operating system or Linux distribution.

Note

Some operating systems don’t provide any fine grained permissions configuration, so using the port-forwarding is the only option.

In the case in which you know how to configure OS X, macOS or HPUX to listen on port below 1014 without firewall redirection, please let us know and we will improve this documentation.

5.3.1.1. Linux

The method based on which a non-root user is granted permissions to listen on port 1024 is called capabilities and cap_net_bind_service is the capability which controls the port listening permissions.

For more details, please see man 7 capabilities on your operating system.

The capabilities are associated to a process and a dedicated command line tool is required to configure the capabilities for a process.

On some Linux distributions, you might need to install an extra package to have these tools available.

To allow the SFTPPlus process to listen on ports below 1024, the command will look similar to the following example:

$ sudo setcap 'cap_net_bind_service=+ep' SFTPPLUS_INSTALL_PATH/bin/python

You can then start SFTPPlus as non-root user and listen on ports below 1024.

5.3.1.2. AIX

The method used on AIX is called Role Based Access Control (RBAC).

For more details, please see the article dedicated to AIX RBAC and Domain RBAC.

PV_NET_PORT is the privileged that we need for listening on port below 1024.

Below is a brief list of commands for setting up the access control for SFTPPlus in order to listen on port 22.

Create a RBAC domain for SFTPPlus, if you don’t already have one:

mkdom "id=1" dfltmsg="SFTPPlus Ports" sftpplus_ports

Add port 22 to the new domain:

setsecattr -o domains=sftpplus_ports objtype=netport \
  secflags=FSF_DOM_ANY TCP_22

Associate the SFTPPlus application to the new domain:

setsecattr -c accessauths=ALLOW_ALL innateprivs=PV_NET_PORT \
  inheritprivs=PV_NET_PORT secflags=FSF_EPS  \
  SFTPPLUS_INSTALL_PATH/bin/python

Make sure the SFTPPlus service account is associated with the new domain:

chuser "domains=sftpplus_ports" sftpplus

After that you can start SFTPPlus as the non-root sftpplus user and listen on port 22.

If you need to listen on more ports, add more ports to the domain.

5.3.1.3. Solaris

On Solaris, you can give the sftpplus account the permission to listen to port below 1024 using the following command:

/usr/sbin/usermod -K defaultpriv=basic,net_privaddr sftpplus

You can then start SFTPPlus as the non-root sftpplus user and listen on any port below 1024.

5.3.1.4. OS X/macOS

The method used is port-forwarding using ipfw (for releases older than OS X 10.10) or pf (for releases 10.10 and newer).

Set up SFTPPlus to listen on a port above 1024 and configure the port forwarding.

On the following examples, you will see how to forward port 122 to 10022.

We will use the loopback interface to keep things simple, but you should adapt and extend these firewall rules to account for your own local configuration: different network interfaces, IPs and other network traffic rules.

For releases older than OS X 10.10 using ipfw:

View current firewall rules:
    $ sudo ipfw show

Add port-forwarding rule (122 to 10022):
    $ sudo ipfw add 100 fwd 127.0.0.1,10022 tcp from any to any 122 in

You can get more information on your system's man pages for ipfw.

For OS X 10.10 and newer using pf:

Create a pf anchor file for sftpplus in /etc/pf.anchors/sftpplus
with the following contents:
    rdr pass on lo0 inet proto tcp from any to 127.0.0.1
    port = 122 -> 127.0.0.1 port 10022
    (note the above 2 lines go into only one line, it has been
    split here for better readability)

Reference anchor in /etc/pf.conf, add:
    rdr-anchor "sftpplus"
    load anchor "sftpplus" from "/etc/pf.anchors/sftpplus"

Enable and reload pf manually:
    $ sudo pfctl -ef /etc/pf.conf

Note: Updates to the OS may override the pf.conf file, make sure to
make a backup of it.

5.3.2. Removing services while server is running

A service can be removed while the server is running, without affecting the other available services.

This can be done via the Local Manager.

When a service is removed and the service has been running, it is automatically stopped.