gogodna
asked on
How to turn on port 443 in Redhat Linux?
Hi
I am using Redhat Linux for my application server. I don't want to usr "root" to start up my application, so I create an user "user" that it can only access this application. But somehow I get an error message "Permission denied:443". After that I found out if I use "root" to start my application, I would not have any problem. I believe "user" didn't have right to open the port or do port forwarding. Do you have any suggestions for me to use "user" to start my application without problems? and how I can turn on port 433 by default?
Thanks
Simon
I am using Redhat Linux for my application server. I don't want to usr "root" to start up my application, so I create an user "user" that it can only access this application. But somehow I get an error message "Permission denied:443". After that I found out if I use "root" to start my application, I would not have any problem. I believe "user" didn't have right to open the port or do port forwarding. Do you have any suggestions for me to use "user" to start my application without problems? and how I can turn on port 433 by default?
Thanks
Simon
port 433 is turned on by default. But on any Linux/Unix, port under 1024 is only accessible to user root. So you have two options:
1. change the listening port number of your "application server" to any port number larger than 1024. use netstat to determine which ports are taken so far
2. use sudo to shortcut the user "user". this way, the "user" will be root when starting your "application server". But this is NOT the recommended way, since it could be a serious security hole.
1. change the listening port number of your "application server" to any port number larger than 1024. use netstat to determine which ports are taken so far
2. use sudo to shortcut the user "user". this way, the "user" will be root when starting your "application server". But this is NOT the recommended way, since it could be a serious security hole.
ASKER
how can I give the right only for "user" to access port 443?
What kind of application user starts? Server or client?
windmoonland right, if server, there is no means for user to start application, listening on port 433. If client, there should not be such problem.
If server:
Your application should ALWAYS be started with root priveleges.
You may do:
1) sudo (man sudo) from user to run this application from root account
2) make your application suid root (chmod +s progname, chown root progname), so anny user may run this application with root priveledges
If this application is written by you, I recommend you to drop root priveles (setuid(real uid)) right after binding to port 433.
windmoonland right, if server, there is no means for user to start application, listening on port 433. If client, there should not be such problem.
If server:
Your application should ALWAYS be started with root priveleges.
You may do:
1) sudo (man sudo) from user to run this application from root account
2) make your application suid root (chmod +s progname, chown root progname), so anny user may run this application with root priveledges
If this application is written by you, I recommend you to drop root priveles (setuid(real uid)) right after binding to port 433.
ASKER
If I don't want to use root to start my server, how about I use port forwarding function?
If I use port forwarding, only root has the right to do it.
If I use port 8443 for my application, I will use port forwarding from 8443 to 443. How can I write a script for restarting my server and run the script by itself? It is because I want to prevent when I restart my server, I forget to do a port forwarding.
If I use port forwarding, only root has the right to do it.
If I use port 8443 for my application, I will use port forwarding from 8443 to 443. How can I write a script for restarting my server and run the script by itself? It is because I want to prevent when I restart my server, I forget to do a port forwarding.
Port forwarding from 8443 to 443 will not work in your case. Because forwarding works for incoming connections.
If you will forward from 443 to 8443 and server will be listen on 8443 it will work fine.
"How can I write a script for restarting my server and run the script by itself? It is because I want to prevent when I restart my server, I forget to do a port forwarding."
Not clear for me what do you want.
Port forwarding must be run only once and by root (doesn't matter how many times you will restart server).
There are kernel level and application level forwarding. I prefer forwarding applications (because they are portable).
Very simple and working example you may get from here: http://o0o.nu/sec/tools/bounce-0.0.1.tar.gz
Just compile and run it as root with appropriate parameters.
Then it doesn't matter hoe many times you will restart your server, forwarding will work.
If you will forward from 443 to 8443 and server will be listen on 8443 it will work fine.
"How can I write a script for restarting my server and run the script by itself? It is because I want to prevent when I restart my server, I forget to do a port forwarding."
Not clear for me what do you want.
Port forwarding must be run only once and by root (doesn't matter how many times you will restart server).
There are kernel level and application level forwarding. I prefer forwarding applications (because they are portable).
Very simple and working example you may get from here: http://o0o.nu/sec/tools/bounce-0.0.1.tar.gz
Just compile and run it as root with appropriate parameters.
Then it doesn't matter hoe many times you will restart your server, forwarding will work.
Hi Gogodna
I don't know if this will be any use to you, but check it out anyway:
http://kbase.redhat.com/faq/FAQ_71_5708.shtm
Check this too while you're at it:
http://kbase.redhat.com/faq/FAQ_45_3957.shtm
I imagine you can add port 443:[Application name] as user root, which should make that specific port open at all times.
Port 443 isn't perhaps already used by something else on your machine?
To check if it is, do this:
sudo netstat -alp | grep :443
I don't know if this will be any use to you, but check it out anyway:
http://kbase.redhat.com/faq/FAQ_71_5708.shtm
Check this too while you're at it:
http://kbase.redhat.com/faq/FAQ_45_3957.shtm
I imagine you can add port 443:[Application name] as user root, which should make that specific port open at all times.
Port 443 isn't perhaps already used by something else on your machine?
To check if it is, do this:
sudo netstat -alp | grep :443
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Feedback would be nice...
Excellent, thanks Simon! :)
I don't think it could be a problem with port
try as root:
chmod 754 {application name}