On 10/5/07, Chris Custine <[EMAIL PROTECTED]> wrote: > > Hi Markus, > You have a couple of options and which one to use depends on what level of > security you want. If you are OK with running the server as root, then > you > simply add change the RUN_AS_USER variable in the /etc/init.d/apacheds > script. After looking at your question I realized that this is not easily > changed on a per instance basis so I have added an issue to Jira to make > this more flexible in a future release. If you change it here, all > instances will run as the same userid. > > https://issues.apache.org/jira/browse/DIRSERVER-1084 > > The second option is to use iptables to route the ports. This is by far > more secure since you can still run the server on any port as an > unprivileged user and receive requests on port 389. Here are the full > iptables commands to test from the command line (you may have to change > the > eth0 interface name). The second command is only necessary if you have > clients running locally that you want to redirect on localhost, the first > one handles the public interface. > > iptables -t nat -A PREROUTING -p tcp --dport 389 -i eth0 -j REDIRECT > --to-port 10389 > iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 389 -j REDIRECT > --to-port 10389 > > I hope this helps, and let us know if you have any issues with this. This > would make a good FAQ item so I will try to add this to some docs. >
I like this tactic here. Is there some way to give a non-root user the ability to bind to ports below 1024 on UNIX? I looked for this once before but never found a way. Alex
