Bind socket < 1023 EACCES (Permission denied)

[AdamBialas]

I try to bind ruby simple http server with this command :

ruby -run -ehttpd . -p1023 -b 127.0.0.1 

but server can't bind port with this trace :

socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_TCP) = 7
fcntl(7, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
fstat(7, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
getsockname(7, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
setsockopt(7, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(7, {sa_family=AF_INET, sin_port=htons(1023), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied)
close(7)                                = 0
write(2, "/usr/lib/ruby/2.3.0/socket.rb:20"..., 43) = 43
write(2, ": ", 2)                       = 2
write(2, "Permission denied - bind(2) for "..., 46) = 46
write(2, " (", 2)                       = 2
write(2, "Errno::EACCES", 13)           = 13
write(2, ")\n", 2)                      = 2
write(2, "\tfrom /usr/lib/ruby/2.3.0/socket"..., 52) = 52
write(2, "\tfrom /usr/lib/ruby/2.3.0/socket"..., 73) = 73
write(2, "\tfrom /usr/lib/ruby/2.3.0/socket"..., 50) = 50
write(2, "\tfrom /usr/lib/ruby/2.3.0/socket"..., 53) = 53
write(2, "\tfrom /usr/lib/ruby/2.3.0/socket"..., 64) = 64
write(2, "\tfrom /usr/lib/ruby/2.3.0/webric"..., 68) = 68
write(2, "\tfrom /usr/lib/ruby/2.3.0/webric"..., 60) = 60
write(2, "\tfrom /usr/lib/ruby/2.3.0/webric"..., 64) = 64
write(2, "\tfrom /usr/lib/ruby/2.3.0/webric"..., 67) = 67
write(2, "\tfrom /usr/lib/ruby/2.3.0/un.rb:"..., 45) = 45
write(2, "\tfrom /usr/lib/ruby/2.3.0/un.rb:"..., 56) = 56
write(2, "\tfrom /usr/lib/ruby/2.3.0/un.rb:"..., 46) = 46
write(2, "\tfrom /usr/lib/ruby/2.3.0/un.rb:"..., 47) = 47
write(2, "\tfrom -e:1:in `<main>'\n", 23) = 23
rt_sigaction(SIGINT, {SIG_IGN, [], SA_RESTORER, 0x7fd70d9e54b0}, {0x7fd70de96990, [], SA_RESTORER|SA_SIGINFO, 0x7fd70d9e54b0}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x7fd70d9e54b0}, {SIG_IGN, [], SA_RESTORER, 0x7fd70d9e54b0}, 8) = 0
close(4)                                = 0
close(6)                                = 0
munmap(0x7fd70cca0000, 1052672)         = 0
exit_group(1)                           = ?
+++ exited with 1 +++ 

---

There is no problem with bind on port > 1023 with strace :

socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_TCP) = 7
fcntl(7, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
fstat(7, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
getsockname(7, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
setsockopt(7, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(7, {sa_family=AF_INET, sin_port=htons(1024), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
listen(7, 128)                          = 0
fstat(7, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
clock_gettime(CLOCK_REALTIME, {1493192038, 601962400}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1073, ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
rt_sigaction(SIGTERM, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, 8) = 0
rt_sigaction(SIGQUIT, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, 8) = 0
rt_sigaction(SIGHUP, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, 8) = 0
rt_sigaction(SIGINT, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, {0x7fcae8c96990, [], SA_RESTORER|SA_SIGINFO, 0x7fcae87e54b0}, 8) = 0
pipe2([8, 9], O_CLOEXEC)                = 0
fcntl(8, F_GETFL)                       = 0 (flags O_RDONLY)
ioctl(8, TCGETS, 0x7fffc9f41000)        = -1 ENOTTY (Inappropriate ioctl for device)
fcntl(9, F_GETFL)                       = 0x1 (flags O_WRONLY)
ioctl(9, TCGETS, 0x7fffc9f41000)        = -1 ENOTTY (Inappropriate ioctl for device)
clock_gettime(CLOCK_REALTIME, {1493192038, 602767900}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1073, ...}) = 0
write(2, "[2017-04-26 09:33:58] INFO  WEBr"..., 73) = 73
clock_gettime(CLOCK_MONOTONIC, {1101, 404789000}) = 0
select(9, [7 8], NULL, NULL, {2, 0})    = 0 (Timeout)
clock_gettime(CLOCK_MONOTONIC, {1103, 406000000}) = 0
select(9, [7 8], NULL, NULL, {2, 0})    = 0 (Timeout)
clock_gettime(CLOCK_MONOTONIC, {1105, 407676000}) = 0
select(9, [7 8], NULL, NULL, {2, 0})    = 0 (Timeout)
clock_gettime(CLOCK_MONOTONIC, {1107, 408786000}) = 0
select(9, [7 8], NULL, NULL, {2, 0}

But socket still is not accesable from windows :(
My ifconfig output :

eth0      Link encap:Ethernet  HWaddr 1c:6f:65:81:21:70
          inet addr:192.168.0.248  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          unspec addr:[NONE SET]  Mask:00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: 2001:0:9d38:6abd:3830:25e4:62e6:9b15/64 Scope:Global
          inet6 addr: fe80::3830:25e4:62e6:9b15/64 Scope:Global
          UP RUNNING  MTU:1472  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Global
          UP LOOPBACK RUNNING  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

[CherryDT]

Are you sure you ran ruby as root (e.g. sudo ruby .....)? Ports below 1024 are known under Linux as "privileged ports" and require root.

An alternative would be authbind or setcap with cap_net_bind_service to allow ruby to bind to privileged ports without root, I haven't tested if those work on WSL though.

[therealkenc]

Only limited support for capabilities on WSL right now. #574 #871 #1303 and friends.

[rodrymbo]

The other thing to check for is that some other program (e.g. Skype, on the Windows side, sometimes listens on 80) isn't already using the port. One can do that with something like e.g. netstat -an | findstr :1023 from Windows.

On a regular Linux machine one would normally need to use sudo to open a port below 1024 ... Not sure if that also requires running bash.exe elevated (and from a clean start).

[benhillis]

Could you give this a try on build 16226 or later? I've added support for the security.capability xattr.

[therealkenc]

The OP was straight up linux-behavior (absence sudo(8) on ruby(1)). Discussion diverge to subject setcap(8) was addressed in 16226.