[JDEV] Re: [jadmin] [jadmin]Port access below 1024

Justin Georgeson jgeorgeson at unboundtech.com
Thu Jun 6 13:00:50 CDT 2002 

There is a big if clause to call setuid/setgid in the main function in 
jabberd.c. I've just been moving that around to see what happens. If I 
put it right before the while(1) loop at the end of the main function, 
then the process can bind priviledged ports, the pidfile is right, root 
owns the pidfile, and the extra jabberd thread (due to loading dnsrv) is 
still running as root. That's as close as I have come. The problem is 
that, as viewed from the main function, binding the ports and writing 
the pidfile all happen in one massive atomic step to process the config 
file. Perhaps the config file should be extended to have a tag for the 
username to run as. That way, you could arrange the order the steps are 
taken as the config file is processed.

Jonathan Augenstine wrote:
> Justin,
> 
> I have two questions.  The first is that have the changes you made to
> reorder the code been contributed back for inclusion with the
> distribution?  If not I would be interested in knowing what changes you
> made, as I have great need to implement this.  The second question is,
> can you change ownership or permisions on the pid file prior to the fork
> to make it writable to the designated user and rewrite the pid after the
> fork()??
> 
> Jonathan
> 
> 
>>-----Original Message-----
>>From: Justin Georgeson [mailto:jgeorgeson at unboundtech.com] 
>>Sent: Wednesday, June 05, 2002 6:45 PM
>>To: jadmin at jabber.org
>>Cc: jdev
>>Subject: [JDEV] Re: [jadmin] [jadmin]Port access below 1024
>>
>>
>>It's not so much the ownership, it's that the pid in the pidfile is 
>>wrong. I couldn't get the pidfile to be written after the 
>>fork. Even on 
>>systems that have a tool to kill all processes with a given name 
>>(killall jabberd on RedHat for example), that's not always viable, as 
>>you might have multiple instances and only want to stop one.
>>
>>Jonathan Augenstine wrote:
>>
>>>>only answer I was given was to have my firewall forward the
>>>>priviledged 
>>>>port to the unpriviledged port jabber is running on.
>>>
>>>If I had that option available we would not be having this 
>>
>>exchange. 
>>
>>>Unfortunately.
>>>
>>>Can you clarify what the ramifications are of the problem 
>>
>>you describe 
>>
>>>below.  I understand that the pid file is created by root and as a 
>>>consequence the specified user account is unable to access the pid 
>>>file. How does this impact?
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Justin Georgeson [mailto:jgeorgeson at unboundtech.com]
>>>>Sent: Wednesday, June 05, 2002 11:55 AM
>>>>To: jadmin at jabber.org
>>>>Subject: Re: [jadmin] [jadmin]
>>>>
>>>>
>>>>Using the -B command line options you can specify what user
>>>>to run as. I 
>>>>have successfully reordered the code to bind to the port 
>>>>before calling 
>>>>setuid/setgid and forking. The problem is I have been unsuccessful 
>>>>getting all this done before writing the pidfile, so I end up witha 
>>>>pidfile with the wrong pid and the process owner can't read. 
>>>>I've posted 
>>>>to several lists (this one, jdev, and 
>>>>jabberd at jabberstudio.org) and the 
>>>>only answer I was given was to have my firewall forward the 
>>>>priviledged 
>>>>port to the unpriviledged port jabber is running on.
>>>>
>>>>Jonathan Augenstine wrote:
>>>>
>>>>
>>>>>I have a question on running Jabber on non-standard ports.  Does
>>>>>anyone have documentation or notes on how to run Jabber on 
>>>>
>>>>ports below
>>>>
>>>>
>>>>>1024 but not run Jabber as root?
>>>>>
>>>>>Jonathan Augenstine _______________________________________________
>>>>>jadmin mailing list
>>>>>jadmin at jabber.org
>>>>>http://mailman.jabber.org/listinfo/jadmin
>>>>
>>>>
>>>>--
>>>>Justin Georgeson
>>>>UnBound Technologies, Inc.
>>>>http://www.unboundtech.com
>>>>Main   713.329.9330
>>>>Fax    713.460.4051
>>>>Mobile 512.789.1962
>>>>
>>>>5295 Hollister Road
>>>>Houston, TX 77040
>>>>Real Applications using Real Wireless Intelligence(tm)
>>>>
>>>>_______________________________________________
>>>>jadmin mailing list
>>>>jadmin at jabber.org
>>>>http://mailman.jabber.org/listinfo/jadmin
>>>>
>>>
>>>_______________________________________________
>>>jadmin mailing list
>>>jadmin at jabber.org
>>>http://mailman.jabber.org/listinfo/jadmin
>>
>>
>>-- 
>>Justin Georgeson
>>UnBound Technologies, Inc.
>>http://www.unboundtech.com
>>Main   713.329.9330
>>Fax    713.460.4051
>>Mobile 512.789.1962
>>
>>5295 Hollister Road
>>Houston, TX 77040
>>Real Applications using Real Wireless Intelligence(tm)
>>
>>_______________________________________________
>>jdev mailing list
>>jdev at jabber.org
>>http://mailman.jabber.org/listinfo/jdev
>>
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev


-- 
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main   713.329.9330
Fax    713.460.4051
Mobile 512.789.1962

5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)

More information about the JDev mailing list