Hi. I'm working with some Java code that wants to open a privileged
port (80), but I'd like to run it as non-root, via launchctl. Is
there any way to do this? I'm not even sure how a native process
could do this via launchd.
Is this the Java servlet container you mentioned in this cocoa-dev post
If so, are you saying it has no way whatsoever to designate the port
it should run on? That seems remarkable to me, especially for port
80, which can be unavailable for reasons that have nothing to do with
root privilege on a given host.
Please identify what servlet container this is that requires port 80.
A native process on port 80 would do something like this.
1. It would have to be launched with an effective userid (euid) of
root.
2. It would open port 80 (this is allowed when euid==0).
3. It would then call setuid() with a safe non-root uid, e.g. "www".
The setuid() function is a Posix system call: man 2 setuid. It's a
fairly typical use of setuid(), if any use of setuid() can be called
"typical".
The first step, being launched as root, would require a root-owned
launchd plist, stored in the system location (i.e. NOT the per-user
location), and the controlling launchctl call would have to be done
with an euid of root. That is, you'd have to run 'sudo launchctl',
or you'd have to run 'launchctl' using
AuthorizationExecuteWithPrivilege() from Apple's Authorization Services.
The complexity of this, along with the potential for accidentally
creating a security hole, is one of the reasons I'm surprised there
wouldn't be a way to tell the servlet container to use a port
different from 80. Even the Apache web server allows configuration
for ports other than 80, and it's probably the most widely used
port-80 resident on the internet.
-- GG
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
