CentOS - Mar 2008 - Running network services as a non-root user

Hi,

 

I am using open source Alfresco( alfresco.com ), written in java, which has
own code for FTP, CIFS (running on tomcat apache and java). I need to run
tomcat5 as root in order to achieve that alfresco will bind ftp cifs on
privileged ports (21 , 135 .).

I am wondering, it is possible to allow user to bind on some privilleged
port. Like having whole alfresco running under user alfresco and not root
and able to bind on privileged ports?

CentOS 5.1

 

Thanks!

David

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080316/f4b16b04/attachment-0002.html>

David Hl??ik wrote:
>
> Hi,
>
> I am using open source Alfresco( alfresco.com ), written in java, 
> which has own code for FTP, CIFS (running on tomcat apache and java). 
> I need to run tomcat5 as root in order to achieve that alfresco will 
> bind ftp cifs on privileged ports (21 , 135 ...).
>
> I am wondering, it is possible to allow user to bind on some 
> privilleged port. Like having whole alfresco running under user 
> alfresco and not root and able to bind on privileged ports?
>

the way thats conventionally done is by having a small SUID program 
(with the S bit set) which is invoked from the main program and opens 
the privileged socket, then hands it back to the unprivileged rest of 
the program. I have no idea how you'd do this with java short of using 
native code interfaces.

that seems like a huge and very complex system, running that whole thing 
as root would be a nightmare from a security audit perspective.