MacOS – How to open port 80 so a non-root process can bind to it

macosNetworksoftware

I want to run a web server on my Mac as a non-root process. Normally only root processes can bind to port 80 (or to any port below 1024).

Can I open port 80 specifically so that non-root processes can listen on it?

Best Answer

This is difficult to do by design, and unless you have root access to your machine none of the following will work as they require root to setup the changes. Once changed, though, userspace programs will have access without having root.

There are two common ways to accomplish this, and which you choose will depend on why you're trying to work around the restriction:

Point port 80 to another port, such as 8080

By reconfiguring your machine to pass all port 80 traffic to port 8080, or any port of your choosing, then you can allow user space servers to receive root privilege ports in the area they are given access to.

The process is straightforward:

Step 1: View current firewall rules.
sudo ipfw show
Step 2: Add port forwarding rule (80 to 8080)
sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in
If you want to remove your firewall rules run:
sudo ipfw flush

(source)

This is a temporary change, and will revert once you reboot, or flush as indicated int he last line.

You can make the change permanent, or you could add the command as a startup line prior to starting your server, which is probably safer from the standpoint of security.

Use Authbind

Authbind was designed specifically to allow one program access to lower level ports without giving it full root access.

There is a MacOSX port:

https://github.com/Castaglia/MacOSX-authbind

It may still be limited to IPv4 traffic, though, so you may have to do some additional investigation to find if it meets your needs

Related Solutions

Unkown process listening at port 8080

I noticed this very problem on my Macbook. I was trying to use port 8080 for some testing and I received the error that another process was already listening on it. My invocation of nmap returned different results depending on whether I was using sudo or not. This did not make sense to me.

I was really concerned when I could not figure out what was processes were listening on these ports using sudo lsof -P -n -iTCP | grep LIST. This led me to believe that there was malicious software intentionally hiding itself.

I ended up removing files from /Library/LaunchDaemons/ until I narrowed it down to the culprit. The application responsible for all these opened ports was the Cisco AnyConnect Secure Mobile Client. Unfortunately, in order for this Cisco VPN client to work, it must have all these ports opened. Apparently, it is also responsible for the firewall rule addition that you reported with ipfw show.

It still boggles my mind why it does not show which process is responsible for the open ports when using lsof. No application should be able to avoid being listed using this method. Perhaps the reason for the process not being listed will be answered in another stackexchange question.

OSX Firewall: Forwarding Ports & Ignoring Non-Local Requests

One solution, using IPFW, which co-exists with PF as of OS X 10.9 (Mavericks) is to simply run the command:

sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to me 80