[tor-talk] Could not bind to 0.0.0.0:443: Permission denied

Seth David Schoen schoen at eff.org
Tue Sep 25 18:00:43 UTC 2012


Juppe writes:

> Hey,
> 
> Few weeks ago I built a Tor network into my WAN lab environment and I'm
> using Tor version v0.2.3.17-beta. Today I wanted to change nodes DirPorts
> to use 80 and OrPorts to use 443 (before they were between 5000-6000) but I
> had the following output when I tried to start my directory server and It
> was same thing with the other nodes:
> 
> [notice] Opening OR Listener on 0.0.0.0:443
> [warn] Could not bind to 0.0.0.0:443: Permission denied
> [notice]Opening Directory listener on 0.0.0.0:80
> [warn]Could not bind to 0.0.0.0:80: Permission denied
> 
> Do I have to somehow run Tor as root or what causes this?

Yes, if you want to listen on a port below 1024.  Ports below 1024 are
considered "privileged ports" -- an old convention for distinguishing
between services run by the system administrator of a machine and
services run by other "unprivileged" users.  This convention could be
useful for security purposes if you imagine that system administrators
trust each other for some purposes, or that you trust the system
administrator of a certain server but don't trust every user of that
server.  A specific example is NFS:

http://www.lst.de/~okir/blackhats/node67.html

In the original NFS design, machines are configured to trust each other
and grant each other's requests, but the end users are not necessarily
trustworthy so the machines have to decide whether a particular request
was authorized by the remote servers system administrator.  This did
lead to security problems if you had the ability to send packets on
the network with an arbitrary source IP address, because requests were
not authenticated beyond examination of their source IP address and port
number (the same issue applied to the rsh/rlogin service).

Some people have suggested that the usefulness of the privileged port
convention has decreased a lot over time, but it may still be useful
for some purposes.  (It seems that the use of public-key cryptography is
ultimately better and safer than relying on TCP port numbers as a proof
of identity... but, for example, it can be nice that the sysadmin of a
multiuser system gets to reserve port 80 for the "official" web server
on that system, instead of having a random user come in and set up their
own web server there.)

Operating systems generally still do enforce the rule, so you still can't
bind a privileged port if you aren't root!

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107


More information about the tor-talk mailing list