Hi,
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 .).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
CentOS 5.1
Thanks!
David
David Hláčik wrote:
Hi,
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
John R Pierce wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
John R Pierce wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
---- you may recall that in December, I was faced with this very issue but on the Fedora List...probably the wrong list since I'm actually using it on a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the thread.
I was never able to figure out how to redirect those ports...though I would change in a heartbeat if I could figure out how that is done.
Craig
Craig White wrote:
On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
John R Pierce wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
you may recall that in December, I was faced with this very issue but on the Fedora List...probably the wrong list since I'm actually using it on a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the thread.
I was never able to figure out how to redirect those ports...though I would change in a heartbeat if I could figure out how that is done.
did you see: http://wiki.alfresco.com/wiki/File_Server_Configuration#Running_SMB.2FCIFS_f...
In particular, the part that says: " For some reason the UDP forwarding does not seem to work, this affects the NetBIOS name lookups. To get around the problem you can either add a DNS entry matching the CIFS server name and/or add a static WINS mapping, or add an entry to the clients LMHOSTS file. "
otherwise, would it be possible to run samba as a "proxy" on the server?
On Sun, 2008-03-16 at 23:21 +0100, mouss wrote:
Craig White wrote:
On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
John R Pierce wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
you may recall that in December, I was faced with this very issue but on the Fedora List...probably the wrong list since I'm actually using it on a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the thread.
I was never able to figure out how to redirect those ports...though I would change in a heartbeat if I could figure out how that is done.
did you see: http://wiki.alfresco.com/wiki/File_Server_Configuration#Running_SMB.2FCIFS_f...
In particular, the part that says: " For some reason the UDP forwarding does not seem to work, this affects the NetBIOS name lookups. To get around the problem you can either add a DNS entry matching the CIFS server name and/or add a static WINS mapping, or add an entry to the clients LMHOSTS file. "
otherwise, would it be possible to run samba as a "proxy" on the server?
---- Alfresco creates a samba process from java and you have to have multiple IP addresses and run samba restricted to one of them and java's samba implementation on another. It's messy.
The issue of LMHOSTS or DNS didn't really matter since the probably wasn't NetBIOS lookups. I could easily just use ip addresses but still couldn't get replies.
I gave up on that struggle 3 months ago. In the end, this server isn't exposed except to the internal LAN and I just ended up running tomcat as root.
Craig
Craig White wrote:
On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
John R Pierce wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
you may recall that in December, I was faced with this very issue but on the Fedora List...probably the wrong list since I'm actually using it on a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the thread.
I was never able to figure out how to redirect those ports...though I would change in a heartbeat if I could figure out how that is done.
I don't see my reply in that thread, but it should need an OUTPUT line corresponding to each PREROUTING entry. I have this working on a lot of machines sending tcp port 80 to a server on 8080, so I know it works with TCP. Have you tried a simple case to see if you have the syntax right? There may be some quirks for udp or cifs.
On Sun, 2008-03-16 at 18:06 -0500, Les Mikesell wrote:
Craig White wrote:
On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
John R Pierce wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
you may recall that in December, I was faced with this very issue but on the Fedora List...probably the wrong list since I'm actually using it on a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the thread.
I was never able to figure out how to redirect those ports...though I would change in a heartbeat if I could figure out how that is done.
I don't see my reply in that thread, but it should need an OUTPUT line corresponding to each PREROUTING entry. I have this working on a lot of machines sending tcp port 80 to a server on 8080, so I know it works with TCP. Have you tried a simple case to see if you have the syntax right? There may be some quirks for udp or cifs.
---- you took 2 shots in it actually...
https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html
https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html
Yes, note that in your first link (I think it was the first link), your suggestion was to add a rule for OUTPUT packets corresponding to PREROUTING packets too.
Craig
Craig White wrote:
I am using open source Alfresco( alfresco.com ), written in java, which has own code for FTP, CIFS (running on tomcat apache and java). I need to run tomcat5 as root in order to achieve that alfresco will bind ftp cifs on privileged ports (21 , 135 ...).
I am wondering, it is possible to allow user to bind on some privilleged port. Like having whole alfresco running under user alfresco and not root and able to bind on privileged ports?
the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
you may recall that in December, I was faced with this very issue but on the Fedora List...probably the wrong list since I'm actually using it on a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the thread.
I was never able to figure out how to redirect those ports...though I would change in a heartbeat if I could figure out how that is done.
I don't see my reply in that thread, but it should need an OUTPUT line corresponding to each PREROUTING entry. I have this working on a lot of machines sending tcp port 80 to a server on 8080, so I know it works with TCP. Have you tried a simple case to see if you have the syntax right? There may be some quirks for udp or cifs.
you took 2 shots in it actually...
https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html
https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html
Yes, note that in your first link (I think it was the first link), your suggestion was to add a rule for OUTPUT packets corresponding to PREROUTING packets too.
Did you try it in a simpler case like port 80 to tomcat on 8080?
On Sun, 2008-03-16 at 19:12 -0500, Les Mikesell wrote:
Craig White wrote:
> I am using open source Alfresco( alfresco.com ), written in java, > which has own code for FTP, CIFS (running on tomcat apache and java). > I need to run tomcat5 as root in order to achieve that alfresco will > bind ftp cifs on privileged ports (21 , 135 ...). > > I am wondering, it is possible to allow user to bind on some > privilleged port. Like having whole alfresco running under user > alfresco and not root and able to bind on privileged ports? > the way thats conventionally done is by having a small SUID program (with the S bit set) which is invoked from the main program and opens the privileged socket, then hands it back to the unprivileged rest of the program. I have no idea how you'd do this with java short of using native code interfaces.
that seems like a huge and very complex system, running that whole thing as root would be a nightmare from a security audit perspective.
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
you may recall that in December, I was faced with this very issue but on the Fedora List...probably the wrong list since I'm actually using it on a CentOS-5 system...
https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
and I suggest that you may recall because you participated in the thread.
I was never able to figure out how to redirect those ports...though I would change in a heartbeat if I could figure out how that is done.
I don't see my reply in that thread, but it should need an OUTPUT line corresponding to each PREROUTING entry. I have this working on a lot of machines sending tcp port 80 to a server on 8080, so I know it works with TCP. Have you tried a simple case to see if you have the syntax right? There may be some quirks for udp or cifs.
you took 2 shots in it actually...
https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html
https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html
Yes, note that in your first link (I think it was the first link), your suggestion was to add a rule for OUTPUT packets corresponding to PREROUTING packets too.
Did you try it in a simpler case like port 80 to tomcat on 8080?
---- no, I run a regular web server on that port. I ended up just running tomcat5 as root and it's working...I'm not revisiting the issue at the moment, I have other fish to fry.
Craig
Les Mikesell wrote:
Another approach that may or may not work with Alfresco is to configure the application to use high-numbered ports instead of the standard ones, then use iptables to redirect connections to the standard port numbers to the ones where the application runs.
I don't think thats possible with CIFS/SMB file sharing (which uses a pile of different protocols and encapsulations over both UDP and TCP packets, and many messages that contain service locator type information including port & ip), and its not very easy with FTP (which uses either passive or port based transfers and also sends port and address data embedded in PORT messages).
-
Craig White -
David Hláčik -
John R Pierce -
Les Mikesell -
mouss