Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"
Be sure to include the (/.*)?
at the end of the directory name.
I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t; this is equivalent to turning on allow_ftpd_full_access, if I understood it correctly
Essentially, yes; since SELinux allows directories/files labeled with public_content_t
to be shared between different services. However, further access control is in place through the use of sebooleans
(or sebool
, more precisely).
Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning, ftpd
is allowed to read files if the directory's file context (fcontext
) is public_content_t
. SELinux gives write permissions to the ftp server if the directory's fcontext is public_content_rw_t
; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelled public_content_t
, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with the public_content_rw_t
context, and removing your custom generated local policy.
For further information and details, please see the SELinux wiki pages.
Best Answer
The standard Linux permissions scheme should account for this. Unprivileged users can't modify anything that doesn't belong to them, nor access to folders where important system information is stored.
Modify the panel and desktop so that none of the offending icons or applets are available.
Use gconftool2 to set the following keys (under apps/panel/global):
disable_force_quit
will prevent the users ability to forcibly close a panel applet.disable_lock_screen
will prevent the user from displaying the screen saver and password protecting the screen.disable_log_out
will prevent the user from logging out of, shutting down, or restarting the computer.locked_down
will prevent the user from making any changes to the panels.Set the following keys under desktop/gnome/lockdown:
disable_command_line
This also disable the "Run Program" dialog.disable_lock_screen
will prevent the user from locking the screen.disable_printing
will prevent the user from printing things to an attached printer.disable_print_setup
will prevent access to all "Print Setup" dialogs.disable_save_to_disk
will prevent the user from saving anything to the hard drive.disable_user_switching
will prevent the user from switching to another account while the current session is active.It sounds like what you're really looking for is a way to make Gnome behave like a kiosk. There's a few guides for that: