Allowing a user to let listen to a port below 1024

setcap 'cap_net_bind_service=+ep' /path/to/program

this will work for specific processes. But to allow a particular user to bind to ports below 1024 you will have to add him to sudoers.

Have a look at this discussion for more.


(Some of these methods have been mentioned in other answers; I'm giving several possible choices in rough order of preference.)

You can redirect the low port to a high port and listen on the high port.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 1080

You can start your server as root and drop privileges after it's started listening on the privileged port. Preferably, rather than coding that yourself, start your server from a wrapper that does the job for you. If your server starts one instance per connection, start it from inetd (or a similar program such as xinetd). For inetd, use a line like this in /etc/inetd.conf:

http  stream  tcp  nowait  username:groupname  /path/to/server/executable  argv[0] argv[1]…

If your server listens in a single instance, start it from a program such as authbind. Either create an empty file /etc/authbind/byport/80 and make it executable to the user running the server; or create /etc/authbind/byuid/1234, where 1234 is the UID running the server, containing the line 0.0.0.0/0:80,80.

If your server executable is stored on a filesystem that supports capabilities, you can give it the cap_net_bind_service capability. Beware that capabilities are still relatively new and still have a few kinks.

setcap cap_net_bind_service=ep /path/to/server/executable

The short answer is that this is not possible by design.

The long answer is that in the open source worlds there are lots of people playing with the design and coming up with alternate methods. In general it is widely accepted practice that this should not be possible. The fact that you are trying probably means you have another design fault in your system and should reconsider your whole system architecture in light of *nix best practices and security implications.

That said, one program for authorizing non-root access to low ports is authbind. Both selinux and grsecurity also provide frameworks for such fine tuned authentications.

Lastly, if you want specific users to run specific programs as root and what you really need is just to allow a user to restart apache or something like that, sudo is your friend!