On Mar 27, 2005, at 2:47 AM, OL&L Lists wrote:
At 5:12 PM -0600 3/26/05, Glen Ezkovich wrote:
On Mar 26, 2005, at 4:33 PM, OL&L Lists wrote:
At 3:06 PM -0600 3/26/05, Paul Roebuck wrote:
Michael wrote:
I have a Java application that needs to be able to listen on
low-numberd ports (below 1024). In OS X how does one elevate the
privileges of a running Java application so that it can bind to
low-numbered ports and then drop the privileges after the binds are
done but still continue to listen on the sockets?
You don't.
What do you mean by "you don't"? Do you mean it's not possible or
do you mean it's not a good idea?
If it's not possible then how do people write Java applications
that listen on low-numbered ports?
And if it's not possible then how can one work around that
limitation to make it possible?
Its possible and the way I do it, it is not a good idea. :-P I run
Tomcat listening on port 80 for testing purposes by logging in to
an administrative account and using sudo to start up Tomcat. The
problem with this is that Tomcat runs with Administrative
privileges and this makes the system vulnerable to devastating
attacks. Ideally what you'd want to do is start the process with
root privileges and once the port is bound revert the privileges
to only those required by your application. Unfortunately, there
is no way to this from either the command line or in Java. You
might like to take a look at jsvc
http://jakarta.apache.org/commons/daemon/jsvc.html . I have not
used this on macs yet but I have used on Linux successfully.
One more quick question for you:
Would it be possible to do this in Java indirectly by having a C
routine that can elevate the privileges?
I was thinking write a small .dylib, then a JNI stub, then the Java
app that would link to all of those. The Java app could call
through the JNI library to the C code and the C code could then
elevate the process's privileges temporarily to bind and then drop
back down. Since all the libs would be linked to the parent Java
process, the C code could just elevate the privileges of whatever
app called it. Would this work?
Unfortunately, this isn't an area of my expertise. I don't think its
possible to elevate the process' privileges beyond those of the user
who initiates the process. If it is possible then, sure, it can be
done.
Its been my experience that user apps are usually clients and don't
need to bind to a privileged port. What is that you are trying to do
that requires the user to run a server bound to a privileged port?
Maybe with a bit more information, I can help a more.
Glen Ezkovich
HardBop Consulting
glen at hard-bop.com
