[CentOS] Running network services as a non-root user

Sun Mar 16 20:33:11 UTC 2008
Les Mikesell <lesmikesell at gmail.com>

John R Pierce wrote:

>>
>> I am using open source Alfresco( alfresco.com ), written in java, 
>> which has own code for FTP, CIFS (running on tomcat apache and java). 
>> I need to run tomcat5 as root in order to achieve that alfresco will 
>> bind ftp cifs on privileged ports (21 , 135 ...).
>>
>> I am wondering, it is possible to allow user to bind on some 
>> privilleged port. Like having whole alfresco running under user 
>> alfresco and not root and able to bind on privileged ports?
>>
> 
> 
> the way thats conventionally done is by having a small SUID program 
> (with the S bit set) which is invoked from the main program and opens 
> the privileged socket, then hands it back to the unprivileged rest of 
> the program. I have no idea how you'd do this with java short of using 
> native code interfaces.
> 
> that seems like a huge and very complex system, running that whole thing 
> as root would be a nightmare from a security audit perspective.


Another approach that may or may not work with Alfresco is to configure 
the application to use high-numbered ports instead of the standard ones, 
then use iptables to redirect connections to the standard port numbers 
to the ones where the application runs.

-- 
   Les Mikesell
    lesmikesell at gmail.com