On Dec 2, 2008, at 23:04 , Alexandre Bergel wrote:
Yes, I read that. But is there any conceptual implication to have
the port 80 accessible only by root?
This looks like to be very arbitrary no?
I don't think so. The lower port numbers are used for common services
like http or mail for which always the same ports are used by
convention. You wouldn't want to allow potentially highjacked
processes to be able to bind to such a ports (e.g., pretending to be
your mail server).
Adrian
Alexandre
On 2 Dec 2008, at 18:59, Janko Mivšek wrote:
Alexandre Bergel wrote:
Unix blocks port 1 - 1024 for non root users. Running a Smalltalk
image as root is obviously a very bad idea, especially when used
for
web services. Smalltalk is full of security holes (for example
Object
class>>#readFrom: uses the compiler) that would allow a smart
person
to gain root rights. It is always good idea to run anything that is
publicly reachable in some sort of a sandbox, even if this is
just by
using a non-privileged user.
Hi Lukas,
I read the thread you mentioned. Isn't it feasible to make the
port 80 accessible for a non-root process?
This is probably hardcoded in the kernel, but since this problem
has been around for years in most communities, but not to fix this
in the kernel?
Just a very naive question :-)
From recent thread on squeak-dev you can see that we actually came
to the solution of how to run on port 80 without being root. And
solution is as Apache is doing: starting with root then dropping
the privilege level to the normal user.
[squeak-dev] smalltalk and Web stuff
http://www.nabble.com/-squeak-dev--smalltalk-and-Web-stuff-td20643881.html
Best regards
Janko
--
Janko Mivšek
AIDA/Web
Smalltalk Web Application Server
http://www.aidaweb.si
_______________________________________________
Pharo-project mailing list
[email protected]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
--
_,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:
Alexandre Bergel http://www.bergel.eu
^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;.
_______________________________________________
Pharo-project mailing list
[email protected]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
_______________________________________________
Pharo-project mailing list
[email protected]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project