[Prev][Next][Index][Thread]
Re: permissions to start server
Date: Sat, 21 Dec 1996 17:55:28 -0500
From: Dave Cooper <dcooper8@ford.com>
Does anyone out there know how to set permissions so that you can
start cl-http as a non-root user?
The HTTP port is 80, and UNIX just does not let non-root users bind
ports below 1024. There are several workarounds:
1. Start the server as root, and then arrange to switch to a more
innocuous user ID after the port has been bound. The details of how
to call the setuid() system call will be specific to Allegro.
2. Have the server listen at a port above 1024, which will mean that
URLs to talk to it will look like http://foo.bar.com:port/. I can't
recall the variable you will need to set: doing (APROPOS "PORT"
"CL-HTTP") is a good way to figure it out.
3. Write a small root program that binds port 80, and, upon getting a
connection, opens a connection to a CL-HTTP process listening at a
high-numbered port and acts as an intermediary. I like using this
approach because it keeps the portion of the system running as root
small, it lets me use URLs without a port number, and the destination
server process can be easily changed without changing published URLs.
Note, though, that CL-HTTP is not so awful to run as root: You don't
have to worry about buffer overrun and fix-sized resource holes, and
the code is small enough that doing a security audit is not such a big
deal. The main things to watch out for are making sure READ and
friends don't get called on random input data without *READ-SUPPRESS*
being bound, making sure you aren't publishing potentially sensitive
information, and checking that arguments to "scripts" can't cause
anything untoward to happen.
--David Gadbois
Follow-Ups:
References: