On 2019/06/10 17:49, Marc Chamberlin wrote:
Hi - I dunno if this is a good group to ask this question but I will give it a shot and perhaps get pointed to a better group...
I am running the Apache James email server on an OpenSuSE 15.0 x64 system and because of some other requirements I have to run the James daemon under a system user name and not under root. To accomplish that I had to change all the standard email ports that it listens on, to higher ones (I added 10000 to the standard port numbers so for example instead of having the smtp server listen on port 25 I configured it to listen on port 10025.
Probably a bit late for this, but you never know... You could have run as any arbitrary user, and simply set the binary to "SETCAP xxx' to re-enable the various root privileges in the kernel that you needed. It might be as simple as making the binary have CAP_NET_ADMIN (or maybe CAP_NET_BIND_SERVICE) to bind the ports you needed. It would likely be more portable than something bound to some specific firewall implementation since the Capabilities are in the kernel so any any version of Suse or any other distro would work. Example is /usr/bin/ping needing the 'net_raw' capability to send out ICMP pings:
filecap /usr/bin/ping file capabilities /usr/bin/ping net_raw
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org