Update ======== I found 2 bits of software that might fit the bill (and neither are named 'compartment' -- but I'm still looking).
One is 'authbind' -- available at http://packages.debian.org/unstable/utils/authbind.html Comparison between something like Bindd and authbind (not written by me): ------------------------------------------------------ Authbind gives unprivileged programs the ability to use low port by the help of a setuid-root binary, whereas bindd has the daemon listening on UNIX domain socket. The granularity of the access control is about the same, but implemented in a different way. authbind may check access permissions to a special file, whereas bindd implements straight match of address/port/uid/gid against its configuration file. The summary: 1. authbind utilizes a setuid-root helper binary. It may be considered as a security drawback because some might feel there are more ways for a malicious user to affect operations in helper binary architecture than in the architecture with daemon accepting requests via socket. It might not be a good idea to place a setuid-root binary into a chroot environment (especially created to run untrustworthy code.) 2. Invoking a helper binary from the new bind(3) code may have undesired side-effects if the application uses SIGCHLD for its own needs. It`s a drawback of autbind approach. 3. authbind code is less in size, which may be considered as a security advantage. 4. bindd provides logging of attempts to use its service, which may be considered as a security advantage. Also, for the privileged port binding, LIDS ( http://www.lids.org ) can apparently give CAP_NET_BIND_SERVICE to the program which need this capability while you can disable this capability to disallow anyboby(any program) to bind the port under 1024. see http://www.lids.org for details. This requires a change to your kernel image, though. Dan -----Original Message----- From: Ben Kennish [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 09, 2001 2:03 AM To: [EMAIL PROTECTED] Subject: Re: How do I run Apache on port 80 using 2.4.x kernel? Dan, Thank you for asking this question - I was wondering about this when I wrote this part of the FAQ but never got around to asking the question. Please let us know how you get on (and so that I can add instructions, etc to the FAQ.) This definitely sounds like the best way to go. Regards, Ben Kennish [EMAIL PROTECTED] www.fubra.com ----- Original Message ----- From: "Tim Sellar" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 08, 2001 6:59 PM Subject: RE: How do I run Apache on port 80 using 2.4.x kernel? > There was a tool written under Debian (compartment I think it was called) > which performed the necessary functionality. It allowed you to start a > process with only a specified set of capabilities. In the case of Apache > under freeVSD you would only want to give Apache only the privileges it > needs - specifically to allow it connect to a port < 1024. I don't know if > the utility has been released under RedHat or whether you could just use the > Debian code... > > Tim > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Esparza, Dan > Sent: 08 October 2001 18:38 > To: [EMAIL PROTECTED] > Subject: How do I run Apache on port 80 using 2.4.x kernel? > > > I see that the FAQ (at http://www.fubra.com/vsdfaq/ ) says that ... > > "...incidentally upgrading to kernel 2.4 potentially removes the problem > anyway because process capabilities would allow Apache to be started > with only sufficient privilege to allocate port < 1024, without being > given all the other root privileges." > > But it doesn't explain how to do this. > > I'm running RedHat 7.1 and for various reasons I don't want to use > iptables, so FreeVSD is currently using the redirection code provided > with FreeVSD. I'd like to run Apache (for each of the VS's) on port 80 > -- like is suggested above -- but I'm not sure how to do this. > > Can someone point me in the right direction? > > What modifications will I need to make to rc.vsd, rc.conf, httpd.conf, > or other files to remove the redirection and run on port 80 on each of > the VS's? > > Thanks, > Dan > ------------------------- The freeVSD Support List -------------------------- Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support Archives: http://freevsd.org/support/mail-archives/freevsd-support ------------------------------------------------------------------------ ----- ------------------------- The freeVSD Support List -------------------------- Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support Archives: http://freevsd.org/support/mail-archives/freevsd-support -----------------------------------------------------------------------------
