[CentOS] Running network services as a non-root user

Sun Mar 16 22:21:15 UTC 2008
mouss <mouss at netoyen.net>

Craig White wrote:
> On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote:
>   
>> John R Pierce wrote:
>>
>>     
>>>> I am using open source Alfresco( alfresco.com ), written in java, 
>>>> which has own code for FTP, CIFS (running on tomcat apache and java). 
>>>> I need to run tomcat5 as root in order to achieve that alfresco will 
>>>> bind ftp cifs on privileged ports (21 , 135 ...).
>>>>
>>>> I am wondering, it is possible to allow user to bind on some 
>>>> privilleged port. Like having whole alfresco running under user 
>>>> alfresco and not root and able to bind on privileged ports?
>>>>
>>>>         
>>> the way thats conventionally done is by having a small SUID program 
>>> (with the S bit set) which is invoked from the main program and opens 
>>> the privileged socket, then hands it back to the unprivileged rest of 
>>> the program. I have no idea how you'd do this with java short of using 
>>> native code interfaces.
>>>
>>> that seems like a huge and very complex system, running that whole thing 
>>> as root would be a nightmare from a security audit perspective.
>>>       
>> Another approach that may or may not work with Alfresco is to configure 
>> the application to use high-numbered ports instead of the standard ones, 
>> then use iptables to redirect connections to the standard port numbers 
>> to the ones where the application runs.
>>     
> ----
> you may recall that in December, I was faced with this very issue but on
> the Fedora List...probably the wrong list since I'm actually using it on
> a CentOS-5 system...
>
> https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
>
> and I suggest that you may recall because you participated in the
> thread.
>
> I was never able to figure out how to redirect those ports...though I
> would change in a heartbeat if I could figure out how that is done.
>   

did you see:
http://wiki.alfresco.com/wiki/File_Server_Configuration#Running_SMB.2FCIFS_from_a_normal_user_account


In particular, the part that says:
"
For some reason the UDP forwarding does not seem to work, this affects 
the NetBIOS name lookups. To get around the problem you can either add a 
DNS entry matching the CIFS server name and/or add a static WINS 
mapping, or add an entry to the clients LMHOSTS file.
"

otherwise, would it be possible to run samba as a "proxy" on the server?