What's /usr/libexec/podman/rootlessport and how do I use it?

[truh]

I use podman 4.9.4 on RHEL 8.10. Looking through the filesystem I stumbled upon rootlessport which appears to belong to podman based on it's location. I wasn't able to find any documentation for that binary other than go API docs https://pkg.go.dev/github.com/containers/podman/v4/pkg/rootlessport#pkg-types.

What is it for? Can this be used to access lower range ports without root?

[sbrivio-rh]

What is it for?

It provides integration with the built-in port forwarder provided by rootlesskit.

Can this be used to access lower range ports without root?

Not really, that's a kernel-imposed restriction if the process binding the forwarded ports lacks the CAP_NET_BIND_SERVICE capability. You can grant it to rootlessport:

setcap 'cap_net_bind_service=+ep' /usr/libexec/podman/rootlessport

in the same way as you can provide it to slirp4netns(1) or pasta(1). But I would rather recommend that you set the minimum port number you need as non-root via sysctl (as root), for example:

sysctl -w net.ipv4.ip_unprivileged_port_start=443

[truh]

Thank you for your speedy response. What the downside of?

setcap 'cap_net_bind_service=+ep' /usr/libexec/podman/rootlessport

[sbrivio-rh]

The downside is that /usr/libexec/podman/rootlessport can now bind whatever available port, and processes executing it can potentially gain the capability or that ability by executing it.

Suppose that there's a vulnerability making arbitrary code execution possible in rootlessport. The attacker can then try to bind port 25 and 587 to implement an open SMTP relay.

It's a fairly unlikely scenario but, if it matters to you, you could mitigate that with custom LSM (Linux Security Modules, such as AppArmor or SELinux) policies or firewall rules (those should already be there on RHEL 8).

[Luap99]

setcap 'cap_net_bind_service=+ep' /usr/libexec/podman/rootlessport

You cannot do that with podman, rootlesskit is executed from within the podman user namesapce and thus the capability will not work on the host netns to bind low ports.

[sbrivio-rh]

You cannot do that with podman, rootlesskit is executed from within the podman user namesapce and thus the capability will not work on the host netns to bind low ports.

Ah, oops, right, you also need to grant the parent process of that user namespace the capability. I guess --cap-add NET_BIND_SERVICE (with Podman running as root) would work?

Running things as root has further implications though. It's probably easier and safer to adjust the appropriate sysctl instead.