SFTPPlus Documentation
5.3. Services¶
5.3.1. Listening on ports below 1024 on Linux and Unix¶
Under normal circumstances the default configuration for a Linux or Unix operating system is to only allow the root account to listen on ports below 1024.
Yet, with extra configuration it is possible for normal (non-root) accounts to listen to ports below 1024.
One generic method which works on any Linux or Unix version is to set up SFTPPlus to listen on a port above 1024 and then to set up the firewall port-forwarding.
Another method is to use the privileges framework provided by each operating system. The required configuration is specific to each operating system. In this section, our goal is to guide you through this configuration process. We do not aim to provide a comprehensive documentation for each operating system. For more details, please consult the dedicated documentation available for each operating system or Linux distribution.
Note
Some operating systems don’t provide any fine grained permissions configuration, so using the port-forwarding is the only option.
In the case in which you know how to configure OS X, macOS or HPUX to listen on port below 1014 without firewall redirection, please let us know and we will improve this documentation.
5.3.1.1. Linux¶
The method based on which a non-root user is granted permissions to listen on port 1024 is called capabilities and cap_net_bind_service is the capability which controls the port listening permissions.
For more details, please see man 7 capabilities on your operating system.
The capabilities are associated to a process and a dedicated command line tool is required to configure the capabilities for a process.
On some Linux distributions, you might need to install an extra package to have these tools available.
To allow the SFTPPlus process to listen on ports below 1024, the command will look similar to the following example:
$ sudo setcap 'cap_net_bind_service=+ep' SFTPPLUS_INSTALL_PATH/bin/python
You can then start SFTPPlus as non-root user and listen on ports below 1024.
5.3.1.2. AIX¶
The method used on AIX is called Role Based Access Control (RBAC).
For more details, please see the article dedicated to AIX RBAC and Domain RBAC.
PV_NET_PORT is the privileged that we need for listening on port below 1024.
Below is a brief list of commands for setting up the access control for SFTPPlus in order to listen on port 22.
Create a RBAC domain for SFTPPlus, if you don’t already have one:
mkdom "id=1" dfltmsg="SFTPPlus Ports" sftpplus_ports
Add port 22 to the new domain:
setsecattr -o domains=sftpplus_ports objtype=netport \
secflags=FSF_DOM_ANY TCP_22
Associate the SFTPPlus application to the new domain:
setsecattr -c accessauths=ALLOW_ALL innateprivs=PV_NET_PORT \
inheritprivs=PV_NET_PORT secflags=FSF_EPS \
SFTPPLUS_INSTALL_PATH/bin/python
Make sure the SFTPPlus service account is associated with the new domain:
chuser "domains=sftpplus_ports" sftpplus
After that you can start SFTPPlus as the non-root sftpplus user and listen on port 22.
If you need to listen on more ports, add more ports to the domain.
5.3.1.3. Solaris¶
On Solaris, you can give the sftpplus account the permission to listen to port below 1024 using the following command:
/usr/sbin/usermod -K defaultpriv=basic,net_privaddr sftpplus
You can then start SFTPPlus as the non-root sftpplus user and listen on any port below 1024.
5.3.1.4. OS X/macOS¶
The method used is port-forwarding using ipfw (for releases older than OS X 10.10) or pf (for releases 10.10 and newer).
Set up SFTPPlus to listen on a port above 1024 and configure the port forwarding.
On the following examples, you will see how to forward port 122 to 10022.
We will use the loopback interface to keep things simple, but you should adapt and extend these firewall rules to account for your own local configuration: different network interfaces, IPs and other network traffic rules.
For releases older than OS X 10.10 using ipfw:
View current firewall rules:
$ sudo ipfw show
Add port-forwarding rule (122 to 10022):
$ sudo ipfw add 100 fwd 127.0.0.1,10022 tcp from any to any 122 in
You can get more information on your system's man pages for ipfw.
For OS X 10.10 and newer using pf:
Create a pf anchor file for sftpplus in /etc/pf.anchors/sftpplus
with the following contents:
rdr pass on lo0 inet proto tcp from any to 127.0.0.1
port = 122 -> 127.0.0.1 port 10022
(note the above 2 lines go into only one line, it has been
split here for better readability)
Reference anchor in /etc/pf.conf, add:
rdr-anchor "sftpplus"
load anchor "sftpplus" from "/etc/pf.anchors/sftpplus"
Enable and reload pf manually:
$ sudo pfctl -ef /etc/pf.conf
Note: Updates to the OS may override the pf.conf file, make sure to
make a backup of it.
5.3.2. Removing services while server is running¶
A service can be removed while the server is running, without affecting the other available services.
This can be done via the Local Manager.
When a service is removed and the service has been running, it is automatically stopped.