RE: Run Orion on port80 without being root?
You might opt for installing a simple Linux router if you can't find a Solaris Network Address Translation tool. The Linux box would only be used to route the TCP/IP packages from one port to another. It is the old Linux story. Claim and older Pentium PC with some 32 Mb memory in it (in that case you can run X11, which make the installation procedure easier). Buy a Linux distribution (e.g. SuSE, Redhat or whatever). Install it. Believe me it takes you less time then installing Windows. Read the IPCHAINS-HOWTO, which is somewhere in /usr/doc. This could take you a few hours, but its is nice to know what you are actually doing with ipchains. Experiment with it and make sure you understand what you are doing. After all it should be reliable and secure. I would say it takes you one to two days to get it up and running and 1000$ hardware when you buy a new machine for it. All assuming you have some knowledge about TCP/IP and UNIX in general. Frank On Wednesday, September 13, 2000 7:01 AM, Sach Jobb [SMTP:[EMAIL PROTECTED]] wrote: This _is_ a great idea and i considered something like it before, the only problem is that we are deploying on Solaris. sach On Tue, 12 Sep 2000, Brian Beaulieu wrote: My solution seems to be working so far. I have Orion running as an arbitrary user bound to port 8000 I'm redirecting with ipchains all requests to port 80 to port 8000 with: ipchains -A input -p tcp -s 0/0 -d 0/0 80 -j REDIRECT 8000 The logs show the originating host since I'm not masquerading - this is obviously very important. I haven't run into a problem yet.. I'll try to break it and report here if I do. Regards, Brian Sach Jobb wrote: Thanks guys, This sums up everything pretty well: http://www.orionsupport.com/users.html The root of the problem (pun intended) is here: "Java, however, has no concept of a user, because Java is cross-platform and some platforms don't have any real user (such as Win98, which uses the term "user" very loosely.)" cheers, sach %s/windows/linux/g On Tue, 12 Sep 2000, Brian Beaulieu wrote: I tried this (had to recompile the library though). It says it's running it as user 'nobody' however all processes are stilled owned by nobody. When I attempt to create a directory '/blah' (shouldn't be able to), it works. I have to find a way to do this. I'm going to try running orion on a port 1024 and do port forwarding but that might cause some issues with advanced functionality. I'll look at the JINI library to see if I can find the problem and do some more debugging. Are there any other solutions out there? Regards, Brian Markus Holmberg wrote: On Mon, Sep 11, 2000 at 11:11:57AM -0700, Sach Jobb wrote: Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? Changing Orion's uid using JNI: http://www.orionsupport.com/users.html Markus -- Markus Holmberg | Give me Unix or give me a typewriter. [EMAIL PROTECTED] | http://www.freebsd.org/
Re: Run Orion on port80 without being root?
Idealy that is what i'm looking for: basically having it start up as root and then switching the process over to another user (like apache does). In our dev env this isn't a problem because they use non-priv ports, but there's just something about seeing a billboard with an add like: "come visit us at our new web site www.bigcompany.com:8092" that just doesn't have quite the right ring to it. ;) What's the theory behind using the JNI code? I'm not familiar with it. cheers, sach %s/windows/linux/g On Mon, 11 Sep 2000, John Barrett wrote: In *nix systems, there isnt a solution except to startup as root and then change to another user/group, like Apache does. I dont think that Java has the ability to manipulate its UID/GID without JNI code. - Original Message - From: Sach Jobb [EMAIL PROTECTED] To: Orion-Interest [EMAIL PROTECTED] Sent: Monday, September 11, 2000 1:11 PM Subject: Run Orion on port80 without being root? Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? cheers, sach %s/windows/linux/g
Re: Run Orion on port80 without being root?
On Mon, Sep 11, 2000 at 11:11:57AM -0700, Sach Jobb wrote: Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? Changing Orion's uid using JNI: http://www.orionsupport.com/users.html Markus -- Markus Holmberg | Give me Unix or give me a typewriter. [EMAIL PROTECTED] | http://www.freebsd.org/
RE: Run Orion on port80 without being root?
you could have 2 servers (one on port 80 and one somewhere else) with the one on port 80 forwarding all requests to the other one. Maybe not the prettiest solution, but it might work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sach Jobb Sent: Tuesday, September 12, 2000 09:00 To: Orion-Interest Subject: Re: Run Orion on port80 without being root? Idealy that is what i'm looking for: basically having it start up as root and then switching the process over to another user (like apache does). In our dev env this isn't a problem because they use non-priv ports, but there's just something about seeing a billboard with an add like: "come visit us at our new web site www.bigcompany.com:8092" that just doesn't have quite the right ring to it. ;) What's the theory behind using the JNI code? I'm not familiar with it. cheers, sach %s/windows/linux/g On Mon, 11 Sep 2000, John Barrett wrote: In *nix systems, there isnt a solution except to startup as root and then change to another user/group, like Apache does. I dont think that Java has the ability to manipulate its UID/GID without JNI code. - Original Message - From: Sach Jobb [EMAIL PROTECTED] To: Orion-Interest [EMAIL PROTECTED] Sent: Monday, September 11, 2000 1:11 PM Subject: Run Orion on port80 without being root? Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? cheers, sach %s/windows/linux/g
Re: Run Orion on port80 without being root?
Any Unix process trying to open a socket on a port below 1024 must be running as the root user. If you want to walk around this, simply you cann't! (sorry for the bad news) Sach Jobb wrote: Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? cheers, sach %s/windows/linux/g begin:vcard n:García López;Eduardo tel;cell:649.46.78.58 x-mozilla-html:TRUE org:FI2 adr:;; version:2.1 email;internet:[EMAIL PROTECTED] title:Director de Iniciativas de Comercio Electrónico. x-mozilla-cpt:;-26272 fn:Eduardo García López end:vcard S/MIME Cryptographic Signature
Re: Run Orion on port80 without being root?
I tried this (had to recompile the library though). It says it's running it as user 'nobody' however all processes are stilled owned by nobody. When I attempt to create a directory '/blah' (shouldn't be able to), it works. I have to find a way to do this. I'm going to try running orion on a port 1024 and do port forwarding but that might cause some issues with advanced functionality. I'll look at the JINI library to see if I can find the problem and do some more debugging. Are there any other solutions out there? Regards, Brian Markus Holmberg wrote: On Mon, Sep 11, 2000 at 11:11:57AM -0700, Sach Jobb wrote: Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? Changing Orion's uid using JNI: http://www.orionsupport.com/users.html Markus -- Markus Holmberg | Give me Unix or give me a typewriter. [EMAIL PROTECTED] | http://www.freebsd.org/
Re: Run Orion on port80 without being root?
My solution seems to be working so far. I have Orion running as an arbitrary user bound to port 8000 I'm redirecting with ipchains all requests to port 80 to port 8000 with: ipchains -A input -p tcp -s 0/0 -d 0/0 80 -j REDIRECT 8000 The logs show the originating host since I'm not masquerading - this is obviously very important. I haven't run into a problem yet.. I'll try to break it and report here if I do. Regards, Brian Sach Jobb wrote: Thanks guys, This sums up everything pretty well: http://www.orionsupport.com/users.html The root of the problem (pun intended) is here: "Java, however, has no concept of a user, because Java is cross-platform and some platforms don't have any real user (such as Win98, which uses the term "user" very loosely.)" cheers, sach %s/windows/linux/g On Tue, 12 Sep 2000, Brian Beaulieu wrote: I tried this (had to recompile the library though). It says it's running it as user 'nobody' however all processes are stilled owned by nobody. When I attempt to create a directory '/blah' (shouldn't be able to), it works. I have to find a way to do this. I'm going to try running orion on a port 1024 and do port forwarding but that might cause some issues with advanced functionality. I'll look at the JINI library to see if I can find the problem and do some more debugging. Are there any other solutions out there? Regards, Brian Markus Holmberg wrote: On Mon, Sep 11, 2000 at 11:11:57AM -0700, Sach Jobb wrote: Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? Changing Orion's uid using JNI: http://www.orionsupport.com/users.html Markus -- Markus Holmberg | Give me Unix or give me a typewriter. [EMAIL PROTECTED] | http://www.freebsd.org/
Re: Run Orion on port80 without being root?
This _is_ a great idea and i considered something like it before, the only problem is that we are deploying on Solaris. sach On Tue, 12 Sep 2000, Brian Beaulieu wrote: My solution seems to be working so far. I have Orion running as an arbitrary user bound to port 8000 I'm redirecting with ipchains all requests to port 80 to port 8000 with: ipchains -A input -p tcp -s 0/0 -d 0/0 80 -j REDIRECT 8000 The logs show the originating host since I'm not masquerading - this is obviously very important. I haven't run into a problem yet.. I'll try to break it and report here if I do. Regards, Brian Sach Jobb wrote: Thanks guys, This sums up everything pretty well: http://www.orionsupport.com/users.html The root of the problem (pun intended) is here: "Java, however, has no concept of a user, because Java is cross-platform and some platforms don't have any real user (such as Win98, which uses the term "user" very loosely.)" cheers, sach %s/windows/linux/g On Tue, 12 Sep 2000, Brian Beaulieu wrote: I tried this (had to recompile the library though). It says it's running it as user 'nobody' however all processes are stilled owned by nobody. When I attempt to create a directory '/blah' (shouldn't be able to), it works. I have to find a way to do this. I'm going to try running orion on a port 1024 and do port forwarding but that might cause some issues with advanced functionality. I'll look at the JINI library to see if I can find the problem and do some more debugging. Are there any other solutions out there? Regards, Brian Markus Holmberg wrote: On Mon, Sep 11, 2000 at 11:11:57AM -0700, Sach Jobb wrote: Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? Changing Orion's uid using JNI: http://www.orionsupport.com/users.html Markus -- Markus Holmberg | Give me Unix or give me a typewriter. [EMAIL PROTECTED] | http://www.freebsd.org/
Re: Run Orion on port80 without being root?
In *nix systems, there isnt a solution except to startup as root and then change to another user/group, like Apache does. I dont think that Java has the ability to manipulate its UID/GID without JNI code. - Original Message - From: Sach Jobb [EMAIL PROTECTED] To: Orion-Interest [EMAIL PROTECTED] Sent: Monday, September 11, 2000 1:11 PM Subject: Run Orion on port80 without being root? Has anyone found a way of running Orion on port80 without being root? I'm getting ready to launch a finance based site and i'm quite concerned about security. I've seen messages like this posted before but i have yet to see any kind of resolution. Any ideas? cheers, sach %s/windows/linux/g