Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
There are two things you need to do:
- set the
SSH_AUTH_SOCK
variable so it points to the correct file
- allow the other user to connect to the socket (using file system permissions)
Therefore, what you could do is:
As user1, allow user2 to connect to the socket (full access to the socket and permissions to enter the directory). I hope your /tmp
allows ACLs.
setfacl -m u:user2:rw $SSH_AUTH_SOCK
setfacl -m u:user2:x $(dirname $SSH_AUTH_SOCK)
Change to the other user, and export the variable correctly.
sudo -u user2 env SSH_AUTH_SOCK=$SSH_AUTH_SOCK ssh user3@machine2
If you want to open an interactive shell using sudo
, you would have to export the SSH_AUTH_SOCK
variable yourself after you get the shell.
Best Answer
To use xauth selectively, as user1 run:
This prints the hexkey authorization entries for you . You could have different displays associated with those hosts as well.
As user2 set your display (assuming default case):
Then run:
Note the dot after the $DISPLAY and before the hexkey.
When access is no longer needed, as user2 you can run: