UnrealIRCd Forums

Welcome to the UnrealIRCd Forums!
https://forums.unrealircd.org/

Permissions problem with ssl socket binding

https://forums.unrealircd.org/viewtopic.php?t=3022

Page 1 of 1

Permissions problem with ssl socket binding

Posted: Sat Feb 11, 2006 4:20 pm
by Matridom
I'm in the process of moving Unreal to a new systems with a new install of Debain Testing (etch). When i run the IRCD it loads up, but SSL ports do not work. I know the compile went through with SSL support properly.

Now, when i rehashed the server, i get the following error.

[10:31am] -xxxxx- Error binding stream socket to IP 192.168.0.20 port 994 - xxxxx[192.168.0.20.994]:Permission denied

I can bypass this problem by running as root, but that's not what i want to do.

Now, i know my problem is OS oriented, but i can't seem to find any leads as to where my permissions problem lies.

Posted: Sat Feb 11, 2006 4:28 pm
by Jason
Although 994 is the official standard, 6697 is much more common. Even 6667 is unofficial.

Your best unreal-oriented solution is to run as root, but using unreal's SETUID features to drop privliges (I think its after binding). See include/config.h

irc 194/tcp #Internet Relay Chat Protocol
irc 194/udp #Internet Relay Chat Protocol
irc-serv 529/tcp
irc-serv 529/udp
ircs 994/tcp # irc protocol over TLS/SSL
ircs 994/udp
ircd 6667/tcp #Internet Relay Chat (unoffical)

Posted: Sat Feb 11, 2006 5:43 pm
by aquanight
Yeah, 6667 and 6697 appear to be pretty standard ports now since it's pretty much a bad idea (plus not always possible) to run an ircd as root.

On that note, @linux you could theoretically grant a user/process the CAP_NET_BIND_SERVICE capability (see man 7 capabilities) and allow it to bind to <1024 without being root, but I don't know if the fsutils/pam really provide for all that yet afaik...

Posted: Sat Feb 11, 2006 8:36 pm
by Syzop
I would suggest just to use the 6697 (non-official) ssl port, so as a regular user.

I'm not aware of anyone using the official normal (non-ssl) port either (port 194), so I don't know why people tend to think they need to use 994 ;).

Posted: Sat Feb 11, 2006 8:38 pm
by Stealth
If you have root access, you can also IPTABLES 994 to 6697 if you want users to be able to connect with 994. If you run it from home, some routers have the function to accept connections on one port and forward them to another (such as accepting on 994, and forwarding to 6697)

Posted: Sat Feb 11, 2006 10:29 pm
by Matridom
Router does not allow me to remap.

I figure it would be easiest and most practical to just move the port.


Thanx for the advice.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited