[CentOS] Running network services as a non-root user
Les Mikesell
lesmikesell at gmail.com
Mon Mar 17 00:12:07 UTC 2008
Craig White wrote:
>
>>>>>> I am using open source Alfresco( alfresco.com ), written in java,
>>>>>> which has own code for FTP, CIFS (running on tomcat apache and java).
>>>>>> I need to run tomcat5 as root in order to achieve that alfresco will
>>>>>> bind ftp cifs on privileged ports (21 , 135 ...).
>>>>>>
>>>>>> I am wondering, it is possible to allow user to bind on some
>>>>>> privilleged port. Like having whole alfresco running under user
>>>>>> alfresco and not root and able to bind on privileged ports?
>>>>>>
>>>>> the way thats conventionally done is by having a small SUID program
>>>>> (with the S bit set) which is invoked from the main program and opens
>>>>> the privileged socket, then hands it back to the unprivileged rest of
>>>>> the program. I have no idea how you'd do this with java short of using
>>>>> native code interfaces.
>>>>>
>>>>> that seems like a huge and very complex system, running that whole thing
>>>>> as root would be a nightmare from a security audit perspective.
>>>> Another approach that may or may not work with Alfresco is to configure
>>>> the application to use high-numbered ports instead of the standard ones,
>>>> then use iptables to redirect connections to the standard port numbers
>>>> to the ones where the application runs.
>>> ----
>>> you may recall that in December, I was faced with this very issue but on
>>> the Fedora List...probably the wrong list since I'm actually using it on
>>> a CentOS-5 system...
>>>
>>> https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
>>>
>>> and I suggest that you may recall because you participated in the
>>> thread.
>>>
>>> I was never able to figure out how to redirect those ports...though I
>>> would change in a heartbeat if I could figure out how that is done.
>>>
>> I don't see my reply in that thread, but it should need an OUTPUT line
>> corresponding to each PREROUTING entry. I have this working on a lot of
>> machines sending tcp port 80 to a server on 8080, so I know it works
>> with TCP. Have you tried a simple case to see if you have the syntax
>> right? There may be some quirks for udp or cifs.
> ----
> you took 2 shots in it actually...
>
> https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html
>
> https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html
>
> Yes, note that in your first link (I think it was the first link), your
> suggestion was to add a rule for OUTPUT packets corresponding to
> PREROUTING packets too.
>
Did you try it in a simpler case like port 80 to tomcat on 8080?
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list