[CentOS] Running network services as a non-root user

Sun Mar 16 22:06:45 UTC 2008
Craig White <craigwhite at azapple.com>

On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
> John R Pierce wrote:
> 
> >>
> >> I am using open source Alfresco( alfresco.com ), written in java, 
> >> which has own code for FTP, CIFS (running on tomcat apache and java). 
> >> I need to run tomcat5 as root in order to achieve that alfresco will 
> >> bind ftp cifs on privileged ports (21 , 135 ...).
> >>
> >> I am wondering, it is possible to allow user to bind on some 
> >> privilleged port. Like having whole alfresco running under user 
> >> alfresco and not root and able to bind on privileged ports?
> >>
> > 
> > 
> > the way thats conventionally done is by having a small SUID program 
> > (with the S bit set) which is invoked from the main program and opens 
> > the privileged socket, then hands it back to the unprivileged rest of 
> > the program. I have no idea how you'd do this with java short of using 
> > native code interfaces.
> > 
> > that seems like a huge and very complex system, running that whole thing 
> > as root would be a nightmare from a security audit perspective.
> 
> 
> Another approach that may or may not work with Alfresco is to configure 
> the application to use high-numbered ports instead of the standard ones, 
> then use iptables to redirect connections to the standard port numbers 
> to the ones where the application runs.
----
you may recall that in December, I was faced with this very issue but on
the Fedora List...probably the wrong list since I'm actually using it on
a CentOS-5 system...

https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html

and I suggest that you may recall because you participated in the
thread.

I was never able to figure out how to redirect those ports...though I
would change in a heartbeat if I could figure out how that is done.

Craig