Craig White wrote: > On Sun, 2008-03-16 at 15:33 -0500, Les Mikesell wrote: > >> John R Pierce wrote: >> >> >>>> I am using open source Alfresco( alfresco.com ), written in java, >>>> which has own code for FTP, CIFS (running on tomcat apache and java). >>>> I need to run tomcat5 as root in order to achieve that alfresco will >>>> bind ftp cifs on privileged ports (21 , 135 ...). >>>> >>>> I am wondering, it is possible to allow user to bind on some >>>> privilleged port. Like having whole alfresco running under user >>>> alfresco and not root and able to bind on privileged ports? >>>> >>>> >>> the way thats conventionally done is by having a small SUID program >>> (with the S bit set) which is invoked from the main program and opens >>> the privileged socket, then hands it back to the unprivileged rest of >>> the program. I have no idea how you'd do this with java short of using >>> native code interfaces. >>> >>> that seems like a huge and very complex system, running that whole thing >>> as root would be a nightmare from a security audit perspective. >>> >> Another approach that may or may not work with Alfresco is to configure >> the application to use high-numbered ports instead of the standard ones, >> then use iptables to redirect connections to the standard port numbers >> to the ones where the application runs. >> > ---- > you may recall that in December, I was faced with this very issue but on > the Fedora List...probably the wrong list since I'm actually using it on > a CentOS-5 system... > > https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html > > and I suggest that you may recall because you participated in the > thread. > > I was never able to figure out how to redirect those ports...though I > would change in a heartbeat if I could figure out how that is done. > did you see: http://wiki.alfresco.com/wiki/File_Server_Configuration#Running_SMB.2FCIFS_from_a_normal_user_account In particular, the part that says: " For some reason the UDP forwarding does not seem to work, this affects the NetBIOS name lookups. To get around the problem you can either add a DNS entry matching the CIFS server name and/or add a static WINS mapping, or add an entry to the clients LMHOSTS file. " otherwise, would it be possible to run samba as a "proxy" on the server?