We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

How to turn on port 443 in Redhat Linux?

Medium Priority
2,838 Views
Last Modified: 2013-12-06
Hi

I am using Redhat Linux for my application server. I don't want to usr "root" to start up my application, so I create an user "user" that it can only access this application. But somehow I get an error message  "Permission denied:443". After that I found out if I use "root" to start my application, I would not have any problem. I believe "user" didn't have right to open the port or do port forwarding. Do you have any suggestions for me to use "user" to start my application without problems? and how I can turn on port 433 by default?

Thanks
Simon
Comment
Watch Question

hey,
I don't think it could be a problem with port
try as root:
chmod 754 {application name}

port 433 is turned on by default. But on any Linux/Unix, port under 1024 is only accessible to user root. So you have two options:

1. change the listening port number of your "application server" to any port number larger than 1024. use netstat to determine which ports are taken so far
2. use sudo to shortcut the user "user". this way, the "user" will be root when starting your "application server". But this is NOT the recommended way, since it could be a serious security hole.

Author

Commented:
how can I give the right only for "user" to access port 443?

Artysystem administrator
Top Expert 2007

Commented:
What kind of application user starts? Server or client?
windmoonland right, if server, there is no means for user to start application, listening on port 433. If client, there should not be such problem.
If server:
Your application should ALWAYS be started with root priveleges.
You may do:
1) sudo (man sudo) from user to run this application from root account
2) make your application suid root (chmod +s progname, chown root progname), so anny user may run this application with root priveledges


If this application is written by you, I recommend you to drop root priveles (setuid(real uid)) right after binding to port 433.

Author

Commented:
If I don't want to use root to start my server, how about I use port forwarding function?
If I use port forwarding, only root has the right to do it.
If I use port 8443 for my application, I will use port forwarding from 8443 to 443. How can I write a script for restarting my server and run the script by itself? It is because I want to prevent when I restart my server, I forget to do a port forwarding.
Artysystem administrator
Top Expert 2007

Commented:
Port forwarding from 8443 to 443 will not work in your case. Because forwarding works for incoming connections.
If you will forward from 443 to 8443 and server will be listen on 8443 it will work fine.

"How can I write a script for restarting my server and run the script by itself? It is because I want to prevent when I restart my server, I forget to do a port forwarding."
Not clear for me what do you want.

Port forwarding must be run only once and by root (doesn't matter how many times you will restart server).
There are kernel level and application level forwarding. I prefer forwarding applications (because they are portable).
Very simple and working example you may get from here: http://o0o.nu/sec/tools/bounce-0.0.1.tar.gz
Just compile and run it as root with appropriate parameters.
Then it doesn't matter hoe many times you will restart your server, forwarding will work.
CERTIFIED EXPERT

Commented:
Hi Gogodna


I don't know if this will be any use to you, but check it out anyway:

http://kbase.redhat.com/faq/FAQ_71_5708.shtm


Check this too while you're at it:

http://kbase.redhat.com/faq/FAQ_45_3957.shtm


I imagine you can add port 443:[Application name] as user root, which should make that specific port open at all times.

Port 443 isn't perhaps already used by something else on your machine?

To check if it is, do this:

sudo netstat -alp | grep :443
CERTIFIED EXPERT
Commented:
Gogodna, hold on, I think this is more relevant to your situation.


Issue:
How can I run Certificate System as a non-root user but still use privileged ports like 443 and 80?
Resolution:

   1. Login as root to the machine where Red Hat Certificate System is to be installed and execute the following:

      # rpm -ivh rhcs*.rpm

   2. Run the setup. Root privileges or being the root user and root group may be needed on some stages to configure Certificate Authority (CA). For example, cert-ca.

      # /opt/redhat-cs/setup/setup

   3. Choose privileged ports like 443, 80 etc.
   4. Restart CA:

      # /opt/redhat-cs/cert-ca/restart-cert

   5. Make sure CA can run on the above mentioned ports. To test it, use a browser and go to https://host:443/
   6. Create a local user and add it to its assigned group.
   7. Go to the cert system instance /opt/redhat-cs/cert-ca/config/ and edit the magnus.conf file. Add the following lines:

      chown -R "specific_username:specific_group" /opt/redhat-cs/cert-ca/
      chown "specific_username:specific_group" /opt/redhat-cs/alias/cert-ca*
      chmod 664 /opt/redhat-cs/alias/secmod.db
      export LD_ASSUME_KERNEL=2.4.1

      For example, to allow the user redhat from group redhat to run Certificate System, we change the lines to:

      chown -R "redhat:redhat" /opt/redhat-cs/cert-ca/
      chown "redhat:redhat" /opt/redhat-cs/alias/cert-ca*
      chmod 664 /opt/redhat-cs/alias/secmod.db
      export LD_ASSUME_KERNEL=2.4.1

   8. Restart the Certificate system:

      # /opt/redhat-cs/cert-ca/restart-cert

Note: If the parameter LD_ASSUME_KERNEL=2.4.1 is not set, then IBM JRE would crash trying to read /proc/self/maps. This would be a known issue documented in this bugzilla report: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165351 



***  Taken from Redhat Knowledgebase ***




Change it according to your needs and see if it's any help.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT

Commented:
Feedback would be nice...
CERTIFIED EXPERT

Commented:
Excellent, thanks Simon! :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.