Network – Open Connection on Port 80 for 0.0.0.0

Networkpermissionunix

My understanding of Linux/MacOS (I think they are the same in this regard) port permissions is that ports 1-1024 are only available to root, but above that, they are available to anyone.

However, I've run into some unexpected behavior when opening ports on MacOS 10.14.2. I'm using php -S (version 7.3.0) to experiment.

When I run the command with the following cases:

127.0.0.1:80
[::1]:80
mylocalipv4:80
mylocalipv6:80

it returns Failed to listen on ::1:80 (reason: Permission denied) as expected (where the IP/port given is shown).

However, if I run it with 0.0.0.0:80, it successfully starts listening, but I can't connect to it with curl, either using 127.0.0.1 or the actual IP of my machine.

If I run the PHP server with [::0]:80 it successfully starts listening, and I can curl it with curl [::1] and with my local ipv6 address.

I would have expected the last two cases to fail to start with permission denied. Why don't they?

Best Answer

From testing I can see that it is possible for a desktop macOS users to bind() TCP port numbers below 1024 (the so-called well-known ports). It works on both IPv4 and IPv6, and on the localhost/unspecified addresses.

The Darwin kernel source code is freely available - from there I can see that it has the functionality built-in to check for processes trying to bind/listen on ports <1024 and deny that. This is similar to the way Linux works. However, it is possible to disable this check when compiling the kernel by defining "IPNOPRIVPORTS". I assume this is what was done with the Mojave supplied kernel.

On Linux it used to be the case that it wasn't possible for non-root to bind low port numbers, but today you have various options of allowing non-root users to bind to low numbered ports. Such as for example using the capability NET_BIND_SERVICE.

On macOS you also have various options for restricting binding low-numbered ports. For example through kexts that does socket filtering, or through other means. Perhaps you have software installed, such as for example Little Snitch, that denied you permission when you were testing.

Please note that the various IP-addresses you have tried with have entirely different meanings:

 127.0.0.1 = IPv4 address that means the "localhost" (i.e. your own computer basically) - it is not available on the network
 [::1]     = the IPv6 equivalent of 127.0.0.1

 0.0.0.0   = IPv4 "unspecified address" - i.e. this is not an address in itself, rather it is a special value you give to bind() to let it know that you haven't specified a specific address that you want the port bind() on. Essentially this means that the port will be bound on all the IP-addresses you have.
 [::0]     = IPv6 equivalent of 0.0.0.0 (though usually written [::/128])

This can explain why some things failed and some things succeeded. For example you might not be able to bind to 127.0.0.1, but 0.0.0.0 works as it tries to bind the port not only on 127.0.0.1 but also on other IP-addresses you have.

Related Solutions

Network – Resolving Host Connection Issues in Terminal/Safari

Your launch daemon com.apple.mDNSResponder.reloaded is not loaded properly.

You can check this by entering sudo launchctl list | grep DNS.

The result should yield something like this:

-   0   com.apple.mDNSResponderHelper.reloaded
108 0   com.apple.mDNSResponder.reloaded

108 is the pid and should differ on your system.

Check your com.apple.mDNSResponder.plist for errors with:

cat /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

It should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.mDNSResponder.reloaded</string>
    <key>OnDemand</key>
    <false/>
    <key>InitGroups</key>
    <false/>
    <key>UserName</key>
    <string>_mdnsresponder</string>
    <key>GroupName</key>
    <string>_mdnsresponder</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/mDNSResponder</string>
    </array>
    <key>MachServices</key>
    <dict>
        <key>com.apple.mDNSResponder</key>
        <true/>
            <key>com.apple.mDNSResponder.dnsproxy</key>
            <true/>
    </dict>
    <key>Sockets</key>
    <dict>
        <key>Listeners</key>
        <dict>
            <key>SockFamily</key>
            <string>Unix</string>
            <key>SockPathName</key>
            <string>/var/run/mDNSResponder</string>
            <key>SockPathMode</key>
            <integer>438</integer>
        </dict>
    </dict>
    <key>POSIXSpawnType</key>
    <string>Interactive</string>
    <key>EnablePressuredExit</key>
    <false/>
</dict>
</plist>

Remove the lines <key>com.apple.mDNSResponder.reloaded</key> and the immediately following <false/> or <true/> from the file disabled.plist by editing it with

sudo nano /private/var/db/com.apple.xpc.launchd/disabled.plist

You may have to disable SIP to do so!

Remove the mDNSResponder daemon from the launchctl database with:

sudo launchctl remove com.apple.mDNSResponder.reloaded

Re-add it with

sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Reboot.

MacOS – How to find culprit blocking TCP ports 80, 443, and 5223 on macOS

There are two things you confuse:

FaceTime and iMessage require communication on ports specified in the article for outbound connections.
Your "Permission denied" message is related to opening the port 80 for inbound connections. It's not because of any process blocking it, but if you want to make a process listen on a port less than 1024, you need to use root, so:
```
sudo python -m SimpleHTTPServer 80
```

Best Answer

Related Solutions

Network – Resolving Host Connection Issues in Terminal/Safari

MacOS – How to find culprit blocking TCP ports 80, 443, and 5223 on macOS

Related Question