[CentOS] Running network services as a non-root user
Les Mikesell
lesmikesell at gmail.com
Sun Mar 16 20:33:11 UTC 2008
John R Pierce wrote:
>>
>> I am using open source Alfresco( alfresco.com ), written in java,
>> which has own code for FTP, CIFS (running on tomcat apache and java).
>> I need to run tomcat5 as root in order to achieve that alfresco will
>> bind ftp cifs on privileged ports (21 , 135 ...).
>>
>> I am wondering, it is possible to allow user to bind on some
>> privilleged port. Like having whole alfresco running under user
>> alfresco and not root and able to bind on privileged ports?
>>
>
>
> the way thats conventionally done is by having a small SUID program
> (with the S bit set) which is invoked from the main program and opens
> the privileged socket, then hands it back to the unprivileged rest of
> the program. I have no idea how you'd do this with java short of using
> native code interfaces.
>
> that seems like a huge and very complex system, running that whole thing
> as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure
the application to use high-numbered ports instead of the standard ones,
then use iptables to redirect connections to the standard port numbers
to the ones where the application runs.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list