Craig White wrote:
I am using open source Alfresco( alfresco.com ), written in java,
which has own code for FTP, CIFS (running on tomcat apache and java).
I need to run tomcat5 as root in order to achieve that alfresco will
bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some
privilleged port. Like having whole alfresco running under user
alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program
(with the S bit set) which is invoked from the main program and opens
the privileged socket, then hands it back to the unprivileged rest of
the program. I have no idea how you'd do this with java short of using
native code interfaces.
that seems like a huge and very complex system, running that whole thing
as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure
the application to use high-numbered ports instead of the standard ones,
then use iptables to redirect connections to the standard port numbers
to the ones where the application runs.
----
you may recall that in December, I was faced with this very issue but on
the Fedora List...probably the wrong list since I'm actually using it on
a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the
thread.
I was never able to figure out how to redirect those ports...though I
would change in a heartbeat if I could figure out how that is done.
I don't see my reply in that thread, but it should need an OUTPUT line
corresponding to each PREROUTING entry. I have this working on a lot of
machines sending tcp port 80 to a server on 8080, so I know it works
with TCP. Have you tried a simple case to see if you have the syntax
right? There may be some quirks for udp or cifs.
----
you took 2 shots in it actually...
https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html
https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html
Yes, note that in your first link (I think it was the first link), your
suggestion was to add a rule for OUTPUT packets corresponding to
PREROUTING packets too.
Did you try it in a simpler case like port 80 to tomcat on 8080?
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos