This may seem simple but I've looked all over and come up with nothing. I'm interested in running Icecast 1.3.12 on port 80 to get around the firewall issue. Obviously it's not prudent to run Icecast at root so I'm wondering is there any way to safely run Icecast on port 80 using either setuid or port redirection? Has anyone accomplished this and if so, how'd you do it? Thanks! --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
You can use firewall software (iptables, netfilter, etc) to redirect incoming requests to port 80 to an unprivileged port where you have icecast running on the same host. alan <p>On Tue, 2002-08-20 at 19:33, Bryan Jay Miller wrote:> This may seem simple but I've looked all over and come up with nothing. > I'm interested in running Icecast 1.3.12 on port 80 to get around the > firewall issue. Obviously it's not prudent to run Icecast at root so I'm > wondering is there any way to safely run Icecast on port 80 using either > setuid or port redirection? Has anyone accomplished this and if so, > how'd you do it? > > Thanks! > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered.<p>--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
On 20 Aug 2002, Bryan Jay Miller wrote:> This may seem simple but I've looked all over and come up with nothing. > I'm interested in running Icecast 1.3.12 on port 80 to get around the > firewall issue. Obviously it's not prudent to run Icecast at root so I'm > wondering is there any way to safely run Icecast on port 80 using either > setuid or port redirection? Has anyone accomplished this and if so, > how'd you do it?Check out cbs: cbs is a system tool, composed of a client and a server. Using cbs as root, you will be able to allow specific users or groups to bind specific ports below 1024. Those users will have to use the cbs client library. The aim of cbs is to increase system security. http://www.epita.fr:8000/~flav/cbs/doc/html/ I found it suggested on the mod_perl site as a possible way of enforcing that users only be allowed to run apache processes on particular ports. -sam --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Bryan Jay Miller wrote:> This may seem simple but I've looked all over and come up with nothing. > I'm interested in running Icecast 1.3.12 on port 80 to get around the > firewall issue. Obviously it's not prudent to run Icecast at root so I'm > wondering is there any way to safely run Icecast on port 80 using either > setuid or port redirection? Has anyone accomplished this and if so, > how'd you do it?Alternatively, you can try out and help to test current CVS' Icecast2 (use the Xiph repository, www.xiph.html/cvs.html, module "icecast"), which now supports changing its UID and GID as well as running from within a chroot() jail. I guess being able to bind to privileged ports and change identity afterwards is also an intended way of doing things with these features. <p>Moritz --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
>One question. The <changeowner><user><group> settings are self >explanatory but what about the <chroot> directive. The value in the >default icecast.xml is 0. Does it take an absolute path or boolean value >and then use <basedir> as the chroot value?The latter (boolean and basedir). Mike --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Thanks for the tips. I did find a detailed article on how to run Icecast 1.3.x in a chroot jail at incidents.org (actually it's in Google's cache, couldn't find it on incidents.org site anymore): http://216.239.37.100/search?q=cache:8Jnwn-j8Yh4C:www.incidents.org/protect/borland.php+icecast+chroot+jail&hl=en&ie=UTF-8 It doesn't really solve the problem of running Icecast 1 on a privileged port as the process would have to chroot *after* binding to the port but interesting nonetheless. Moritz - Thanks for the tip on Icecast2. I must have totally overlooked that Icecast2 does both chroot and setuid... very important features IMO. I updated my source from CVS and chroot and setuid worked like a charm. Streaming Vorbis on port 80 right now not running as root. One question. The <changeowner><user><group> settings are self explanatory but what about the <chroot> directive. The value in the default icecast.xml is 0. Does it take an absolute path or boolean value and then use <basedir> as the chroot value? -Bryan --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Bryan Jay Miller wrote:> One question. The <changeowner><user><group> settings are self > explanatory but what about the <chroot> directive. The value in the > default icecast.xml is 0. Does it take an absolute path or boolean value > and then use <basedir> as the chroot value?It's either 0 or 1, while 1 chroot()s to <basedir>. Note that <logdir>'s and <webroot>'s / are now <basedir> (e.g. you'd have to change <logdir>/var/icecast/log</logdir> to <logdir>/log</logdir> when you both chroot() and <basedir> is /var/icecast). Btw, chroot()ing and changing UID and GUI are new features, no wonder you have "overlooked" it. :) <p>Moritz P.S.: While installing Icecast2 myself once again today, I noticed that the current reference icecast.xml lacks the new <icelogin> directive, which also can be either 0 or 1, and is 0 by default. If you want to use a source client that doesn't support http basic auth yet, like Oddcast DSP RC5, you have to add <icelogin>1</icelogin> somewhere within the <icecast> directive. --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.