|
|
Focus on Sun
allowing ordinary users to open privileged ports Sep 02 2004 02:40PM randy calma repasa (rrepasa ekonek com) (6 replies) Re: allowing ordinary users to open privileged ports Sep 10 2004 11:40PM Brian Hatch (bri ifokr org) Re: allowing ordinary users to open privileged ports Sep 06 2004 03:58AM David Meissner (dmeissner jetcity com) (1 replies) Re: allowing ordinary users to open privileged ports Sep 04 2004 02:08PM Casper Dik (casper holland sun com) (1 replies) Re: allowing ordinary users to open privileged ports Sep 06 2004 06:07AM Kapetanakis Giannis (bilias edu physics uoc gr) (1 replies) Re: allowing ordinary users to open privileged ports Sep 06 2004 12:02PM Casper Dik (casper holland sun com) RE: allowing ordinary users to open privileged ports Sep 04 2004 02:07PM Alan W. Rateliff, II (lists rateliff net) Re: allowing ordinary users to open privileged ports Sep 04 2004 02:05PM Jason (security brvenik com) |
|
Privacy Statement |
calls ... And I believe it a bad idea to put root privileges in the hands of
anyone not directly responsible for a server (even with the best of trust or
intentions).
This may have been suggested, but if the client requires the application to
be on a privileged port but run as a non-root user, and assuming the admins
of that server bless this, why not use a package such as ipf to translate
the port traffic? Ipf is configured to map port x to port y (where x is <
1024 and y is > 1024), the client runs their application on port y and the
system gates the traffic from the privileged port.
The only issue is that the local loopback interface on Solaris is virtual,
and port traffic to / from the local interface can not be translated (that
is; ipf cannot manage /dev/lo0). This being the case, access to the
application via IP from the local machine would have to be via the real /
non-privileged port.
Using a pre-compiled binary / pkg distribution, such a setup would take
about 15 minutes, but a reboot would be advised.
Cheers ... Phil
-----Original Message-----
From: David Meissner [mailto:dmeissner (at) jetcity (dot) com [email concealed]]
Sent: Sunday, September 05, 2004 11:59 PM
To: rrepasa (at) ekonek (dot) com [email concealed]; focus-sun (at) securityfocus (dot) com [email concealed]
Subject: Re: allowing ordinary users to open privileged ports
As far as I know there is no way to allow a regular user to open a port <
1024. The request from the client doesn't make a lot of sense - perhaps it
could be explained to the client that it is more secure to run the Java
application on a non-privileged port. Or the application could be recoded
to do something like what the Apache web server does - start as root to
bind to the port, then switch to a non-root user. I have no idea if that is
possible for a Java app.
Or, maybe sudo could be used to allow a regular user to start the
application - in this case though, the application would still be running
as root.
-David Meissner
At 10:40 PM 9/2/2004 +0800, randy calma repasa wrote:
>Hello all,
>
> Has anyone in the list successfully tried allowing ordinary
>users to open privileged (< 1024) ports? We have a solaris 8 on sparc
>machine running an (java) application that normally uses ports > 1024;
>however a client requested the application to use privileged ports
>instead.
>
> This resulted in the application failing to start as the port
>that the application was trying to bind to was < 1024. I've looked for
>methods/workarounds to allow this but have so far come up empty.
>
> I would appreciate any experiences or links that the list
>could point me to.
>
> Thank you very much and best regards.
>
>Randy
[ reply ]