[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Error -3212 ???

Subject: Re: Error -3212 ???
From: Michael Swan <email@hidden>
Date: Wed, 13 Jun 2001 16:42:24 -0700

At 1:24 PM -0700 6/13/01, Craig Schamp wrote:
>on 6/13/01 10:32 AM, Peter Sichel <email@hidden> wrote:
>
>> Another problem is you don't really want your entire server app
>> to be SUID root as this has significant security implications.
>> In order to have an SUID root companion open the port for you and
>> pass back an open socket you need to use native BSD calls.
>> There's no easy way to wrap an OT endpoint around a BSD
>> open socket.
>
>Why not make with the application SUID root, then once the application gets
>started and is past the point where it needs root privileges, have it change
>its UID and GID to something more restrictive (such as "nobody")? Or, simply
>require that the application must be started by a process with root
>privileges (a user logged in as root, for example), and in this case also
>make sure the server sets its own UID and GID to something restrictive (as
>is done with the Apache web server, if I recall correctly).
>
>/c

If you are writing a CFM application, then you're out of luck since
you'll be using OT calls. Even if the CFM app gets suid root,
you'll still have a permissions problem, unless you are starting it
as root.

If you're writing a mach-o application, then you'll need to have it
use BSD native sockets and either (1) run it as root or (2) suid it to
root.

BTW, these permissions problems occur not only for reserved UDP or
TCP ports (< 1024), but for anyone who wants to use a raw socket,
for example, for ICMP ping packets.

Michael Swan
Neon Software, Inc.

References:
	>Re: Error -3212 ??? (From: "Craig Schamp" <email@hidden>)

Prev by Date: Re: Error -3212 ???
Next by Date: Re: Error -3212 ???
Previous by thread: Re: Error -3212 ???
Next by thread: Re: Error -3212 ???
Index(es):
- Date
- Thread

Home