Add CAP_NET_BIND_SERVICE usage to docs

diff --git a/docs/run.md b/docs/run.md
index bb7da434c187b9b5cdebd656feadf82d7ab871db..b0e01ce6806c2acf5e699baea3cdf8b60b06b9d3 100644 (file)
--- a/docs/run.md
+++ b/docs/run.md
@@ -14,6 +14,8 @@ fort \
        --server.port <your intended RTR server port>
 {% endhighlight %}
 
+> ![img/warn.svg](img/warn.svg) In case the RTR server will be bound to a privileged port (eg. to default [`--server.port`](usage.html#--serverport)=323) and you don't want to run FORT validator as root, see [Non root port binding](#non-root-port-binding).
+
 This will run Fort validator as standalone (perform validation and exit) and print ROAs to CSV file:
 
 {% highlight bash %}
@@ -36,3 +38,48 @@ fort \
 {% endhighlight %}
 
 These are some examples to run Fort with distinct configurations; see [Program Arguments](usage.html) for more details.
+
+## Non root port binding
+
+By default, RTR server binds to port 323, which is a privileged port (ports lower than 1024 are restricted); so the most simple solutions are:
+- Set [`--server.port`](usage.html#--serverport) to an available port greater than 1024.
+- Leave the default server port and run FORT validator as root.
+
+In case you don't wish to use another port nor execute FORT validator as root, there are other alternatives, such as **capabilities**.
+
+The capability needed is `CAP_NET_BIND_SERVICE`, which allows to bind a socket to "Internet domain privileged ports" (port numbers less than 1024).
+
+For Linux you need:
+- A recent kernel compiled with POSIX capabilities.
+- The `setcap` and `getcap` utilities.
+
+> **Warnings**:
+> - With the "capabilities" method, any nonprivileged user can run FORT on priviliged ports. You can restrict the execution of the FORT binary using credentials (`chmod`, `chown`).
+> - Everytime you compile the sources, you need to apply this patch for the new binary of FORT validator.
+
+### Steps
+
+As root, execute this command to add the capability to the installed FORT validator binary:
+
+```
+# setcap cap_net_bind_service=+ep `which fort`
+```
+
+You can check if the capability was added by executing `getcap`, it should result in something like this:
+
+```
+# getcap `which fort`
+/usr/local/bin/fort = cap_net_bind_service+ep
+```
+
+Now FORT validator can be bound to the default port (323) without being executed as root.
+
+In case you want to remove the capability to the installed FORT binary, execute the next command (as root):
+
+```
+# setcap cap_net_bind_service=-ep `which fort`
+```
+
+### Alternative method (LINUX or BSD)
+
+You can use another method (NAT or firewall) to redirect traffic from port 323 to any other port where FORT service is bound as RTR server, but such methods are out of the scope of these documents.

diff --git a/docs/usage.md b/docs/usage.md
index ed36d8cef43273ca4166db4204b151df8e9ee80f..1508c3d57edecc1bf4a59815ab0fb25a10b127d3 100644 (file)
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -296,6 +296,8 @@ TCP port or service the server will be bound to.
 This is a string because a service alias can be used as a valid value. The available aliases are commonly located at `/etc/services`. (See '`$ man services`'.)
 
 > ![img/warn.svg](img/warn.svg) The default port is privileged. To improve security, either change or jail it.
+>
+> In case you don't wish to change the port, nor run FORT validator as root, see [Non root port binding](run.html#non-root-port-binding).
 
 ### `--server.backlog`
 

diff --git a/man/fort.8 b/man/fort.8
index f9d87ba01aefc426a6348dda506859b1683e6c1a..68d63db9a08c2f678d97b6ea95ae5233403f1278 100644 (file)
--- a/man/fort.8
+++ b/man/fort.8
@@ -346,6 +346,10 @@ alias are commonly located at \fI/etc/services\fR. See also
 .P
 The default port (323) is privileged. To improve security, either change or
 jail it.
+.P
+In case you don't wish to use another port nor execute FORT validator as root,
+you could use CAP_NET_BIND_SERVICE capability (to bind to privileged ports), or
+NAT/firewall port redirection.
 .RE
 .P