shanepresley
asked on
Low Ports run by non-root
Hello,
Currently Solaris requires that ports under 1024 be run only as root. So that means our webserver has to be launched as root. Yes, immediately after launching, Apache cloaks itself as another user. Nice feature.
But still I am having some problems because I want non-root users to be able to bring up/down processes on port 80.
I know using 'ndd /dev/tcp tcp_smallest_nonpriv_port' you can change it from 1024 to some lower port, like 80.
But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?
Thanks
Shane
Currently Solaris requires that ports under 1024 be run only as root. So that means our webserver has to be launched as root. Yes, immediately after launching, Apache cloaks itself as another user. Nice feature.
But still I am having some problems because I want non-root users to be able to bring up/down processes on port 80.
I know using 'ndd /dev/tcp tcp_smallest_nonpriv_port'
But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?
Thanks
Shane
You could employ a tool like sudo (http://www.courtesan.com/sudo/) to allow normally-unprivledged users to perform privledged actions, such as launching a process that binds to a privledged port.
ASKER
Actually I'm having trouble with ndd -set /dev/tcp tcp_smallest_nonpriv_port #
It will let me set 1024 or higher, but won't let me do
ndd -set /dev/tcp tcp_smallest_nonpriv_port 80
operation failed, Invalid argument
Anyone know if on Solaris 8/9 you can chnge that value?
It will let me set 1024 or higher, but won't let me do
ndd -set /dev/tcp tcp_smallest_nonpriv_port 80
operation failed, Invalid argument
Anyone know if on Solaris 8/9 you can chnge that value?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
tcpwrapper (tcpd) called from inetd is such a program, see
man portmap
man inetd
if it have to be a deamon, see apache suggestion above ...
man portmap
man inetd
if it have to be a deamon, see apache suggestion above ...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
no, only the way for example apache does it.