[CentOS] Running network services as a non-root user

Mon Mar 17 00:56:43 UTC 2008
Craig White <craigwhite at azapple.com>

On Sun, 2008-03-16 at 19:12 -0500, Les Mikesell wrote:
> Craig White wrote:
> >
> >>>>>> I am using open source Alfresco( alfresco.com ), written in java, 
> >>>>>> which has own code for FTP, CIFS (running on tomcat apache and java). 
> >>>>>> I need to run tomcat5 as root in order to achieve that alfresco will 
> >>>>>> bind ftp cifs on privileged ports (21 , 135 ...).
> >>>>>>
> >>>>>> I am wondering, it is possible to allow user to bind on some 
> >>>>>> privilleged port. Like having whole alfresco running under user 
> >>>>>> alfresco and not root and able to bind on privileged ports?
> >>>>>>
> >>>>> the way thats conventionally done is by having a small SUID program 
> >>>>> (with the S bit set) which is invoked from the main program and opens 
> >>>>> the privileged socket, then hands it back to the unprivileged rest of 
> >>>>> the program. I have no idea how you'd do this with java short of using 
> >>>>> native code interfaces.
> >>>>>
> >>>>> that seems like a huge and very complex system, running that whole thing 
> >>>>> as root would be a nightmare from a security audit perspective.
> >>>> Another approach that may or may not work with Alfresco is to configure 
> >>>> the application to use high-numbered ports instead of the standard ones, 
> >>>> then use iptables to redirect connections to the standard port numbers 
> >>>> to the ones where the application runs.
> >>> ----
> >>> you may recall that in December, I was faced with this very issue but on
> >>> the Fedora List...probably the wrong list since I'm actually using it on
> >>> a CentOS-5 system...
> >>>
> >>> https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html
> >>>
> >>> and I suggest that you may recall because you participated in the
> >>> thread.
> >>>
> >>> I was never able to figure out how to redirect those ports...though I
> >>> would change in a heartbeat if I could figure out how that is done.
> >>>
> >> I don't see my reply in that thread, but it should need an OUTPUT line 
> >> corresponding to each PREROUTING entry.  I have this working on a lot of 
> >> machines sending tcp port 80 to a server on 8080, so I know it works 
> >> with TCP.  Have you tried a simple case to see if you have the syntax 
> >> right?  There may be some quirks for udp or cifs.
> > ----
> > you took 2 shots in it actually...
> > 
> > https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html
> > 
> > https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html
> > 
> > Yes, note that in your first link (I think it was the first link), your
> > suggestion was to add a rule for OUTPUT packets corresponding to
> > PREROUTING packets too.
> > 
> 
> Did you try it in a simpler case like port 80 to tomcat on 8080?
----
no, I run a regular web server on that port. I ended up just running
tomcat5 as root and it's working...I'm not revisiting the issue at the
moment, I have other fish to fry.

Craig