Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (487)
Games in Android Showcase (112)
games submitted by our members
Games in WIP (553)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Serversockets on ports <1024 without ever lasting root access  (Read 1861 times)
0 Members and 1 Guest are viewing this topic.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 783
Projects: 4
Exp: 16 years


Hand over your head.


« Posted 2008-09-04 22:06:08 »

I'm fairly sure that to host serversockets under 1024 on linux, you need root access. Now that's not really a problem, because I have the password, but I don't really want to run that app with root-access after the moment the serversocket is bound.

Can I somehow switch the user of a running process from the commandline interface?

I googled it, but I might be searching with the wrong terms, or searching in the wrong direction.

Anybody got experience with 'securing' a java (web)server, to 'drop its privileges' ?

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline CaptainJester

JGO Knight


Medals: 12
Projects: 2
Exp: 14 years


Make it work; make it better.


« Reply #1 - Posted 2008-09-05 00:00:37 »

This is for RMI, but I think it would work in your case:

http://www.davidreilly.com/java/java_network_programming/

Quote
4.5 Why won't my RMI implementation run under Java 2?
If you're running the client or server with Java 2, then you'll need to specify a security policy file, to prevent SecurityExceptions being thrown.  This policy file will allow your application to bind to a local port (if a service), and to connect to remote hosts (if a client).

The following changes should be made when running the client/server :

    java -Djava.security.policy=java.policy yourserver

You'll also need to create a policy file (if one does not already exist). Here's a sample policy file that will allow you to accept conections from ports higher than 1024, but connect to all ports as a client.

grant {
   permission java.net.SocketPermission "*:1024-65535",
          "connect,accept,resolve";
   permission java.net.SocketPermission "*:1-1023",
           "connect,resolve";
};

More info here: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/rsec_rpolicydir.html

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 783
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #2 - Posted 2008-09-05 06:25:12 »

Nope, this has nothing to do with SecurityManagers Smiley

It's about Linux user management

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline kevglass

JGO Kernel


Medals: 159
Projects: 23
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #3 - Posted 2008-09-05 07:42:41 »

You can change the effective user running the process by running sudo before hand. However, this would just mean the process would be run by user "riven" but they would have superuser permissions (presumably not what you were aiming at).

(AFAIK Smiley) Other than that on *nix the ports under 1024 are entirely superuser access only and you can't change the permissions on a running process unless you call setuid() from a root process internally.

C code like Apache changes the user after startup using the setuid() call, which allows it to run on port 80 without serving pages as root. Java doesn't support this (what a surprise!) so Tomcat for instance can't do it. This is one of the reasons Tomcat runs on 8080 and most "real" systems run Apache on the front end.

Kev

Offline blahblahblahh

JGO Coder


Medals: 1


http://t-machine.org


« Reply #4 - Posted 2008-09-05 08:09:53 »

The standard approach (and officially encouraged) is to put your server on a high port and then configure the linux firewall to redirect the low port to the high port.

e.g. redirect all traffic on port 80 to port 8080

This has a huge security benefit (which is probably partly why its recommended): if you ever forget to install the firewall, or the firewall gets switched off, your server will appear to stop responding Smiley. You will very quickly get told by all your users that something is wrong.

There are other ways of de-securing the ports by faffing about with the kernel (heck, you've got the source - you can recompile!) but you almost certainly don't want to go there Smiley

PS: I think kev meant "running su beforehand", because su is something you run first ("switch user") but sudo is something where you have to prefix it to the command you actually want to run ("Switch User, and DO this:" IIRC is what it stands for)

malloc will be first against the wall when the revolution comes...
Offline kevglass

JGO Kernel


Medals: 159
Projects: 23
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #5 - Posted 2008-09-05 08:13:57 »

Yeah, what he said. Smiley

Kev

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 783
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #6 - Posted 2008-09-05 08:32:29 »

So when using Kevs approach I'd have to make some JNI calls I guess...

But Blah*3h's approach is much nicer, although I don't really want to learn firewalls by trial-and-error, when working remotely through SSH. The risk to lock myself out is rather high persecutioncomplex

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #7 - Posted 2008-09-05 10:09:24 »

Running network services as a non-root user.:
http://www.debian-administration.org/articles/386

Offline Riven
« League of Dukes »

JGO Overlord


Medals: 783
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #8 - Posted 2008-09-05 12:41:46 »

Thanks!

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

TehJavaDev (11 views)
2014-08-28 18:26:30

CopyableCougar4 (24 views)
2014-08-22 19:31:30

atombrot (37 views)
2014-08-19 09:29:53

Tekkerue (30 views)
2014-08-16 06:45:27

Tekkerue (29 views)
2014-08-16 06:22:17

Tekkerue (18 views)
2014-08-16 06:20:21

Tekkerue (27 views)
2014-08-16 06:12:11

Rayexar (65 views)
2014-08-11 02:49:23

BurntPizza (41 views)
2014-08-09 21:09:32

BurntPizza (33 views)
2014-08-08 02:01:56
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!