This looks like to be very arbitrary no?
I don't think so. The lower port numbers are used for common
services like http or mail for which always the same ports are used
by convention. You wouldn't want to allow potentially highjacked
processes to be able to bind to such a ports (e.g., pretending to be
your mail server).
But we could imagine that the root password is necessary to open the
port. Now, the root password is necessary to give all permissions to
the process, whereas only opening once the port 80 is necessary.
I am sure a better design could be done. Capabilities maybe...
Alexandre
Alexandre
On 2 Dec 2008, at 18:59, Janko Mivšek wrote:
Alexandre Bergel wrote:
Unix blocks port 1 - 1024 for non root users. Running a Smalltalk
image as root is obviously a very bad idea, especially when used
for
web services. Smalltalk is full of security holes (for example
Object
class>>#readFrom: uses the compiler) that would allow a smart
person
to gain root rights. It is always good idea to run anything that
is
publicly reachable in some sort of a sandbox, even if this is
just by
using a non-privileged user.
Hi Lukas,
I read the thread you mentioned. Isn't it feasible to make the
port 80 accessible for a non-root process?
This is probably hardcoded in the kernel, but since this problem
has been around for years in most communities, but not to fix
this in the kernel?
Just a very naive question :-)
From recent thread on squeak-dev you can see that we actually came
to the solution of how to run on port 80 without being root. And
solution is as Apache is doing: starting with root then dropping
the privilege level to the normal user.
[squeak-dev] smalltalk and Web stuff
http://www.nabble.com/-squeak-dev--smalltalk-and-Web-stuff-td20643881.html
Best regards
Janko
--
Janko Mivšek
AIDA/Web
Smalltalk Web Application Server
http://www.aidaweb.si
_______________________________________________
Pharo-project mailing list
[email protected]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
--
_,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:
Alexandre Bergel http://www.bergel.eu
^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;.
_______________________________________________
Pharo-project mailing list
[email protected]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
_______________________________________________
Pharo-project mailing list
[email protected]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
--
_,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:
Alexandre Bergel http://www.bergel.eu
^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;.
_______________________________________________
Pharo-project mailing list
[email protected]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
