On Sun, 2008-03-16 at 19:12 -0500, Les Mikesell wrote: > Craig White wrote: > > > >>>>>> I am using open source Alfresco( alfresco.com ), written in java, > >>>>>> which has own code for FTP, CIFS (running on tomcat apache and java). > >>>>>> I need to run tomcat5 as root in order to achieve that alfresco will > >>>>>> bind ftp cifs on privileged ports (21 , 135 ...). > >>>>>> > >>>>>> I am wondering, it is possible to allow user to bind on some > >>>>>> privilleged port. Like having whole alfresco running under user > >>>>>> alfresco and not root and able to bind on privileged ports? > >>>>>> > >>>>> the way thats conventionally done is by having a small SUID program > >>>>> (with the S bit set) which is invoked from the main program and opens > >>>>> the privileged socket, then hands it back to the unprivileged rest of > >>>>> the program. I have no idea how you'd do this with java short of using > >>>>> native code interfaces. > >>>>> > >>>>> that seems like a huge and very complex system, running that whole thing > >>>>> as root would be a nightmare from a security audit perspective. > >>>> Another approach that may or may not work with Alfresco is to configure > >>>> the application to use high-numbered ports instead of the standard ones, > >>>> then use iptables to redirect connections to the standard port numbers > >>>> to the ones where the application runs. > >>> ---- > >>> you may recall that in December, I was faced with this very issue but on > >>> the Fedora List...probably the wrong list since I'm actually using it on > >>> a CentOS-5 system... > >>> > >>> https://www.redhat.com/archives/fedora-list/2007-December/msg01169.html > >>> > >>> and I suggest that you may recall because you participated in the > >>> thread. > >>> > >>> I was never able to figure out how to redirect those ports...though I > >>> would change in a heartbeat if I could figure out how that is done. > >>> > >> I don't see my reply in that thread, but it should need an OUTPUT line > >> corresponding to each PREROUTING entry. I have this working on a lot of > >> machines sending tcp port 80 to a server on 8080, so I know it works > >> with TCP. Have you tried a simple case to see if you have the syntax > >> right? There may be some quirks for udp or cifs. > > ---- > > you took 2 shots in it actually... > > > > https://www.redhat.com/archives/fedora-list/2007-December/msg01231.html > > > > https://www.redhat.com/archives/fedora-list/2007-December/msg01240.html > > > > Yes, note that in your first link (I think it was the first link), your > > suggestion was to add a rule for OUTPUT packets corresponding to > > PREROUTING packets too. > > > > Did you try it in a simpler case like port 80 to tomcat on 8080? ---- no, I run a regular web server on that port. I ended up just running tomcat5 as root and it's working...I'm not revisiting the issue at the moment, I have other fish to fry. Craig