Hello
Other Java server software does exactly that.
Except from weblogic.properties:
--------------------------------
# UNIX only: If running on port 80 on UNIX, enable the setUID program
#weblogic.system.enableSetUID=false
# UNIX only: Unprivileged user to setUID to after starting up
# WebLogic Server on port 80
#weblogic.system.nonPrivUser=nobody
--------------------------------
To accomplish this, a tiny shared library is supplied for Linux, Solaris,
HPUX and Irix which provides a JNI interface to setuid. The documentation
recommends that you set up a special user to own all files and run the
process (although you start it as root of course).
I don't see any reason why Orion shouldn't come with a similar JNI
solution - it's super easy to code, and essential for a secure server. The
only thing that will change (unfortunately) is that somewhere an
administrator will have to specifiy a path to the shared library,
according to their operating system when they set up Orion.
As a dirty nasty hack to solve your problem in the meantime Elias, you
could make a 'plugin' in the form of a load-at-startup servlet which calls
a setuid shared library (10 lines of C) in its init() method (and
configure the relevant security settings).
My 10 cents.
Thomas Munro
Software Engineer
Grey Interactive Paris
On Thu, 13 Apr 2000, Elias Martensson wrote:
> On Sat, 8 Apr 2000 [EMAIL PROTECTED] wrote:
>
> > While it is true that all services running on UNIX and requiring a bind on
> > ports below 1024 must start as root, it isn't accurate to say that all of
> > them run as root. All of the servers that we run on our production servers
> > provide us with a way to switch the user id once the service has grabbed
> > the privileged port. We don't run any servers that accept connections from
> > the Internet and process requests running as root. This is going to be a
> > major problem for most hosting providers.
>
> I'm perfectly aware of this. The problem is not in Orion though, but in
> Java. Java does not allow any way of changing user ID's, becuase user ID's
> is a Unix concept that doesnt fit very well in the platform independent
> metaphor.
>
> The solution would be JNI, but I highly suspect that the Orion don't want
> to implement such a hack. I think they want to stay with pure Java. Hence
> my suggestion of allowing some for of plugin so that a third-party can
> implement this feature. I need it too.
