Subj : Re: Mystic on Raspberry Pi/linux
To   : Zero Reader
From : Galahad
Date : Thu Jun 02 2022 10:10:14

 ZR>  Ek> Which is the right way to run Mystic BBS on Raspberry Pi?
 ZR>  Ek> Do I have to run it from a local  user  "./mis server" or "sudo ./mis
 ZR> You can run it either way. On Linux, you can't easily bind to certain
 ZR> ports unless you run them as sudo. That's why when you start with sudo
 ZR> I personally run it as a regular user, and just configure it to use
 ZR> higher ports, for example, instead of port 23, I use 2323. My router is
 ZR> configured to send port 23 to the BBS on port 2323.

Another good option is to use setcap / CAP_NET_BIND_SERVICE to grant a binary permission to bind to low ports.  Note that this has to be run on the binary file itself, not symlinks.

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/mis

After you run that command then MIS should be able to bind to those low ports without sudo.  This or Zero Reader's suggestion of using higher ports are probably the best route security wise.  Although unlikely, if MIS were to be compromised and it was sudo'd, then the attacker would have admin/write access to the rest of the system.

You could harden it even further by running MIS in a chroot jail.

-=-
Rob

.... DOS=HIGH?  I knew it was on something...

--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
 * Origin: ReTR0aKTiV.com (21:3/168)

.