Re: allow user to listen on priviledged ports
From: Lew Pitcher (lpitcher_at_sympatico.ca)
Date: 12/23/03
- Previous message: James Kimble: "Wireless problems with Lucent Tech card"
- In reply to: Sven Köhler: "Re: allow user to listen on priviledged ports"
- Next in thread: Lew Pitcher: "Re: allow user to listen on priviledged ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 23 Dec 2003 13:17:01 -0500
Sven Köhler wrote:
>>> on windows there no problem: any user can listen on any port.
>>
>>
>> I beg to differ: that IS the problem.
>
>
> i don't want to discuss the pros and cons of the way windows or unix
> handle priviledged ports.
Need I remind you that /you/ brought the subject up. If you don't want to
discuss it, then don't make it part of your discussion.
>>> with a unix-os like linux it is common to disallow normal users
>>> to listen on priviledged ports. E.g. apache has to start up as
>>> root to listen on port 80.
>>
>>
>> as was pointed out before, only to bind to the port.
>
> yes, but when using java, switching the userid is not possible if the
> app has already been started.
Then you should look at other mechanisms than Java. You've decided on an
implementation facility before you determined if it could do what you want
it to do. Obviously, if java can't change userids from root to an
unpriveledged user, then java isn't suitable for this project.
>>> what i want is to allow a user - let's say wwwrun - to listen on
>>> specific or all privileged ports. it this possible? is there any
>>> mechanism to do that?
>>
>>
>> You can have inetd / xinetd listen to the port, then spawn off the
>> server under another uid.
>
>
> for each client another server-process is started as far as i understand
> the inetd-concept. my app is a threaded (java-)server that i want to
> bind to port 80 for example.
So, you have a problem.
My suggestion: write a small C routine that invokes the seteuid(2) and
setegid(2) calls with the proper unpriveledged userid. Call this routine
through the jni /after/ your root-priveledged java process bind(2)s to the
priveledged port.
And before you tell me that this isn't portable, let me point out that
a) you currently depend on the non-portable (and broken) behaviour of
MSWindows to accomplish your task,
b) There are /many/ tasks that Java cannot accomplish without jni helpers.
Try APPC (SNA LU6.2) communications without IBM's "SNA for Java" jni
helper classes. You won't be able to use it on some platforms, though
because IBM's jni helpers don't work on all platforms.
-- Lew Pitcher Master Codewright and JOAT-in-training Registered Linux User #112576 (http://counter.li.org/) Slackware - Because I know what I'm doing.
- Previous message: James Kimble: "Wireless problems with Lucent Tech card"
- In reply to: Sven Köhler: "Re: allow user to listen on priviledged ports"
- Next in thread: Lew Pitcher: "Re: allow user to listen on priviledged ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
