On 6/10/19 9:26 PM, L A Walsh wrote:
On 2019/06/10 17:49, Marc Chamberlin wrote:
Hi - I dunno if this is a good group to ask this question but I will give it a shot and perhaps get pointed to a better group...
I am running the Apache James email server on an OpenSuSE 15.0 x64 system and because of some other requirements I have to run the James daemon under a system user name and not under root. To accomplish that I had to change all the standard email ports that it listens on, to higher ones (I added 10000 to the standard port numbers so for example instead of having the smtp server listen on port 25 I configured it to listen on port 10025.
Probably a bit late for this, but you never know...
You could have run as any arbitrary user, and simply set the binary to "SETCAP xxx' to re-enable the various root privileges in the kernel that you needed. It might be as simple as making the binary have CAP_NET_ADMIN (or maybe CAP_NET_BIND_SERVICE) to bind the ports you needed. It would likely be more portable than something bound to some specific firewall implementation since the Capabilities are in the kernel so any any version of Suse or any other distro would work.
Example is /usr/bin/ping needing the 'net_raw' capability to send out ICMP pings:
filecap /usr/bin/ping file capabilities /usr/bin/ping net_raw
Well THANKS Walsh, you certainly presented another interesting path to follow down! I have never heard of SETCAP before but it certainly seems like a logical way to get around the requirement that only ROOT can use the low numbered ports! I may have already found the brute force solution of setting iptables rules, and when I get some spare time I will look further into SETCAP as a more elegant solution. It is on my TODO list! Marc... -- --... ...-- .----. ... -.. . .-- .- --... .--. -..- .-- -- .- .-. -.-. <b>Computers: the final frontier. These are the voyages of the user Marc.<br> His mission: to explore strange new hardware. To seek out new software and new applications.<br> To boldly go where no Marc has gone before!<br></b> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org