|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: allowing ordinary users to open privileged ports
From: Phil Eschallier (phil
10types.com)
Date: Fri Sep 10 2004 - 08:29:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't think a Java application can change the euid without using native
calls ... And I believe it a bad idea to put root privileges in the hands of
anyone not directly responsible for a server (even with the best of trust or
intentions).
This may have been suggested, but if the client requires the application to
be on a privileged port but run as a non-root user, and assuming the admins
of that server bless this, why not use a package such as ipf to translate
the port traffic? Ipf is configured to map port x to port y (where x is <
1024 and y is > 1024), the client runs their application on port y and the
system gates the traffic from the privileged port.
The only issue is that the local loopback interface on Solaris is virtual,
and port traffic to / from the local interface can not be translated (that
is; ipf cannot manage /dev/lo0). This being the case, access to the
application via IP from the local machine would have to be via the real /
non-privileged port.
Using a pre-compiled binary / pkg distribution, such a setup would take
about 15 minutes, but a reboot would be advised.
Cheers ... Phil
-----Original Message-----
From: David Meissner [mailto:dmeissnerjetcity.com]
Sent: Sunday, September 05, 2004 11:59 PM
To: rrepasaekonek.com; focus-sunsecurityfocus.com
Subject: Re: allowing ordinary users to open privileged ports
As far as I know there is no way to allow a regular user to open a port <
1024. The request from the client doesn't make a lot of sense - perhaps it
could be explained to the client that it is more secure to run the Java
application on a non-privileged port. Or the application could be recoded
to do something like what the Apache web server does - start as root to
bind to the port, then switch to a non-root user. I have no idea if that is
possible for a Java app.
Or, maybe sudo could be used to allow a regular user to start the
application - in this case though, the application would still be running
as root.
-David Meissner
At 10:40 PM 9/2/2004 +0800, randy calma repasa wrote:
>Hello all,
>
> Has anyone in the list successfully tried allowing ordinary
>users to open privileged (< 1024) ports? We have a solaris 8 on sparc
>machine running an (java) application that normally uses ports > 1024;
>however a client requested the application to use privileged ports
>instead.
>
> This resulted in the application failing to start as the port
>that the application was trying to bind to was < 1024. I've looked for
>methods/workarounds to allow this but have so far come up empty.
>
> I would appreciate any experiences or links that the list
>could point me to.
>
> Thank you very much and best regards.
>
>Randy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]