[CentOS] Running network services as a non-root user
Craig White
craigwhite at azapple.com
Sun Mar 16 23:22:31 UTC 2008
On Sun, 2008-03-16 at 18:06 -0500, Les Mikesell wrote:
> Craig White wrote:
> > On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
> >> John R Pierce wrote:
> >>
> >>>> I am using open source Alfresco( alfresco.com ), written in java,
> >>>> which has own code for FTP, CIFS (running on tomcat apache and java).
> >>>> I need to run tomcat5 as root in order to achieve that alfresco will
> >>>> bind ftp cifs on privileged ports (21 , 135 ...).
> >>>>
> >>>> I am wondering, it is possible to allow user to bind on some
> >>>> privilleged port. Like having whole alfresco running under user
> >>>> alfresco and not root and able to bind on privileged ports?
> >>>>
> >>>
> >>> the way thats conventionally done is by having a small SUID program
> >>> (with the S bit set) which is invoked from the main program and opens
> >>> the privileged socket, then hands it back to the unprivileged rest of
> >>> the program. I have no idea how you'd do this with java short of using
> >>> native code interfaces.
> >>>
> >>> that seems like a huge and very complex system, running that whole thing
> >>> as root would be a nightmare from a security audit perspective.
> >>
> >> Another approach that may or may not work with Alfresco is to configure
> >> the application to use high-numbered ports instead of the standard ones,
> >> then use iptables to redirect connections to the standard port numbers
> >> to the ones where the application runs.
> > ----
> > you may recall that in December, I was faced with this very issue but on
> > the Fedora List...probably the wrong list since I'm actually using it on
> > a CentOS-5 system...
> >
> > https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
> >
> > and I suggest that you may recall because you participated in the
> > thread.
> >
> > I was never able to figure out how to redirect those ports...though I
> > would change in a heartbeat if I could figure out how that is done.
> >
>
> I don't see my reply in that thread, but it should need an OUTPUT line
> corresponding to each PREROUTING entry. I have this working on a lot of
> machines sending tcp port 80 to a server on 8080, so I know it works
> with TCP. Have you tried a simple case to see if you have the syntax
> right? There may be some quirks for udp or cifs.
----
you took 2 shots in it actually...
https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html
https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html
Yes, note that in your first link (I think it was the first link), your
suggestion was to add a rule for OUTPUT packets corresponding to
PREROUTING packets too.
Craig
More information about the CentOS
mailing list