Thomas Munro wrote:
> Hello
>
> Other Java server software does exactly that.
>
> Except from weblogic.properties:
> --------------------------------
> # UNIX only: If running on port 80 on UNIX, enable the setUID program
> #weblogic.system.enableSetUID=false
>
> # UNIX only: Unprivileged user to setUID to after starting up
> # WebLogic Server on port 80
> #weblogic.system.nonPrivUser=nobody
> --------------------------------
>
> To accomplish this, a tiny shared library is supplied for Linux, Solaris,
> HPUX and Irix which provides a JNI interface to setuid. The documentation
> recommends that you set up a special user to own all files and run the
> process (although you start it as root of course).
>
> I don't see any reason why Orion shouldn't come with a similar JNI
> solution - it's super easy to code, and essential for a secure server. The
> only thing that will change (unfortunately) is that somewhere an
> administrator will have to specifiy a path to the shared library,
> according to their operating system when they set up Orion.
>
> As a dirty nasty hack to solve your problem in the meantime Elias, you
> could make a 'plugin' in the form of a load-at-startup servlet which calls
> a setuid shared library (10 lines of C) in its init() method (and
> configure the relevant security settings).
>
> My 10 cents.
>
> Thomas Munro
> Software Engineer
> Grey Interactive Paris
>
> On Thu, 13 Apr 2000, Elias Martensson wrote:
>
> > On Sat, 8 Apr 2000 [EMAIL PROTECTED] wrote:
> >
> > > While it is true that all services running on UNIX and requiring a bind on
> > > ports below 1024 must start as root, it isn't accurate to say that all of
> > > them run as root. All of the servers that we run on our production servers
> > > provide us with a way to switch the user id once the service has grabbed
> > > the privileged port. We don't run any servers that accept connections from
> > > the Internet and process requests running as root. This is going to be a
> > > major problem for most hosting providers.
> >
> > I'm perfectly aware of this. The problem is not in Orion though, but in
> > Java. Java does not allow any way of changing user ID's, becuase user ID's
> > is a Unix concept that doesnt fit very well in the platform independent
> > metaphor.
>
> > The solution would be JNI, but I highly suspect that the Orion don't want
> > to implement such a hack. I think they want to stay with pure Java. Hence
> > my suggestion of allowing some for of plugin so that a third-party can
> > implement this feature. I need it too.
We made one for orion a few months back as a sepr. download but ive seem to have
lost it :), It is
part of MMBase a publish system that runs ontop of orion. That can be found at
www.mmbase.org
you will find the code to replace the ServerSocket of orion in the package
org.mmbase.util.platform
>CVS setUser.h
Makefile setUser.java
README setUserTest.class
SetRootServerSocketFactory.class setUserTest.java
SetRootServerSocketFactory.java setit.c
libsetUser.so setit.o
setUser.class
comes with a readme, a test and i think a makefile for solaris and linux etc etc
Home this helps mmbase has a mozzila licence and come with source etc etc., hope
this helps.
Greetings,
Daniel Ockeloen
