Re: Running network services as a non-root user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Craig White wrote:

On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:

John R Pierce wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs. 
----
you may recall that in December, I was faced with this very issue but on
the Fedora List...probably the wrong list since I'm actually using it on
a CentOS-5 system...

https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html

and I suggest that you may recall because you participated in the
thread.

I was never able to figure out how to redirect those ports...though I
would change in a heartbeat if I could figure out how that is done.


did you see:
http://wiki.alfresco.com/wiki/File_Server_Configuration#Running_SMB.2FCIFS_from_a_normal_user_account


In particular, the part that says:
"
For some reason the UDP forwarding does not seem to work, this affects the NetBIOS name lookups. To get around the problem you can either add a DNS entry matching the CIFS server name and/or add a static WINS mapping, or add an entry to the clients LMHOSTS file. 
"

otherwise, would it be possible to run samba as a "proxy" on the server?

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux