allow user to listen on priviledged ports

hi,

on windows there no problem: any user can listen on any port.
with a unix-os like linux it is common to disallow normal users to
listen on priviledged ports. E.g. apache has to start up as root to
listen on port 80.

what i want is to allow a user - let's say wwwrun - to listen on
specific or all privileged ports. it this possible? is there any
mechanism to do that?

In article <bs47mp$hkm$06$(E-Mail Removed)>,
=?ISO-8859-15?Q?Sven_K=F6hler?=
<skoehler-remove-for-no-(E-Mail Removed)> wrote:
> what i want is to allow a user - let's say wwwrun - to listen on
> specific or all privileged ports. it this possible? is there any
> mechanism to do that?

Create or find a SUID root app that does nothing but grab specified ports,
hand them off to you, and exit.

--
-eben (E-Mail Removed)m home.tampabay.rr.com/hactar
SCORPIO: Get ready for an unexpected trip when you fall screaming
from an open window. Work a little harder on improving your low self
esteem, you stupid freak. -- Weird Al, _Your Horoscope for Today_

In comp.os.linux.networking Sven Köhler <skoehler-remove-for-no-(E-Mail Removed)> wrote:
> hi,

> on windows there no problem: any user can listen on any port.

Then use that.

> with a unix-os like linux it is common to disallow normal users to
> listen on priviledged ports. E.g. apache has to start up as root to
> listen on port 80.

Only to bind to a privileged port. The first apache starting up
as root, will never ever answer any requests. That's how *nix works,
you can use sudo/SUID but then the process is running as root.

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

> Create or find a SUID root app that does nothing but grab specified ports,
> hand them off to you, and exit.

what i didn't say is, that the program is a java-app. i don't see how
your suggestion should work for me. the only thing i see is writing a
c/c++-app that forwards data from the priviledged port to an
unpriviledged port. that's a very bad sollution in my eyes.

"Sven Köhler" <skoehler-remove-for-no-(E-Mail Removed)> schrieb
> hi,
>
> on windows there no problem: any user can listen on any port.
I beg to differ: that IS the problem.

> with a unix-os like linux it is common to disallow normal users
> to listen on priviledged ports. E.g. apache has to start up as
> root to listen on port 80.
as was pointed out before, only to bind to the port.

>
> what i want is to allow a user - let's say wwwrun - to listen on
> specific or all privileged ports. it this possible? is there any
> mechanism to do that?
>
You can have inetd / xinetd listen to the port, then spawn off the
server under another uid.

See man inetd.conf / man xinetd.conf

HTH
Martin

>>on windows there no problem: any user can listen on any port.
>
> I beg to differ: that IS the problem.

i don't want to discuss the pros and cons of the way windows or unix
handle priviledged ports.

>>with a unix-os like linux it is common to disallow normal users
>>to listen on priviledged ports. E.g. apache has to start up as
>>root to listen on port 80.
>
> as was pointed out before, only to bind to the port.

yes, but when using java, switching the userid is not possible if the
app has already been started.

>>what i want is to allow a user - let's say wwwrun - to listen on
>>specific or all privileged ports. it this possible? is there any
>>mechanism to do that?
>
> You can have inetd / xinetd listen to the port, then spawn off the
> server under another uid.

for each client another server-process is started as far as i understand
the inetd-concept. my app is a threaded (java-)server that i want to
bind to port 80 for example.

On Sun, 21 Dec 2003 15:51:44 +0100, Sven Köhler
<skoehler-remove-for-no-(E-Mail Removed)> wrote:

>> You can have inetd / xinetd listen to the port, then spawn off the
>> server under another uid.
>
> for each client another server-process is started as far as i understand
> the inetd-concept.

Use "wait" then. The ident server is a threaded server that continues
to run after being spawned from inetd. The line in inetd.conf is:

#:INFO: Info services
ident stream tcp wait identd /usr/sbin/identd identd


--
-| Bob Hauck
-| To Whom You Are Speaking
-| http://www.haucks.org/

Sven Köhler wrote:
> hi,
>
> on windows there no problem: any user can listen on any port.

I'd call that a /big/ problem. On Windows, there is no security, so anyone
can hack together a program that pretends to be a priveledged service and
have it listen on any port.

Linux isn't the insecure system that MSWindows is. You're playing in the big
leagues now, and it's time to drop your wiffleball rules for hardball rules.

> with a unix-os like linux it is common to disallow normal users to
> listen on priviledged ports. E.g. apache has to start up as root to
> listen on port 80.

No. It is not /common/ to disallow users to bind to priveledged ports, it is
/required/.

> what i want is to allow a user - let's say wwwrun - to listen on
> specific or all privileged ports. it this possible? is there any
> mechanism to do that?

There are a couple of ways: run the process as root (it can
seteuid()/setegid() and become another user after it binds to it's port), or
use the capabilities facilities, and set the appropriate capability.

--
Lew Pitcher

Master Codewright and JOAT-in-training
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.

Sven Köhler wrote:
>>> on windows there no problem: any user can listen on any port.
>>
>>
>> I beg to differ: that IS the problem.
>
>
> i don't want to discuss the pros and cons of the way windows or unix
> handle priviledged ports.

Need I remind you that /you/ brought the subject up. If you don't want to
discuss it, then don't make it part of your discussion.

>>> with a unix-os like linux it is common to disallow normal users
>>> to listen on priviledged ports. E.g. apache has to start up as
>>> root to listen on port 80.
>>
>>
>> as was pointed out before, only to bind to the port.
>
> yes, but when using java, switching the userid is not possible if the
> app has already been started.

Then you should look at other mechanisms than Java. You've decided on an
implementation facility before you determined if it could do what you want
it to do. Obviously, if java can't change userids from root to an
unpriveledged user, then java isn't suitable for this project.

>>> what i want is to allow a user - let's say wwwrun - to listen on
>>> specific or all privileged ports. it this possible? is there any
>>> mechanism to do that?
>>
>>
>> You can have inetd / xinetd listen to the port, then spawn off the
>> server under another uid.
>
>
> for each client another server-process is started as far as i understand
> the inetd-concept. my app is a threaded (java-)server that i want to
> bind to port 80 for example.

So, you have a problem.

My suggestion: write a small C routine that invokes the seteuid(2) and
setegid(2) calls with the proper unpriveledged userid. Call this routine
through the jni /after/ your root-priveledged java process bind(2)s to the
priveledged port.

And before you tell me that this isn't portable, let me point out that
a) you currently depend on the non-portable (and broken) behaviour of
MSWindows to accomplish your task,
b) There are /many/ tasks that Java cannot accomplish without jni helpers.
Try APPC (SNA LU6.2) communications without IBM's "SNA for Java" jni
helper classes. You won't be able to use it on some platforms, though
because IBM's jni helpers don't work on all platforms.

--
Lew Pitcher

Master Codewright and JOAT-in-training
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.