I am using sbcl, so I could use sb-posix:setuid after starting hunchentoot and gaining port 80, removing root-privileges.
(sb-posix::define-call "initgroups" int minusp (user c-string) (group sb-posix::gid-t)) (sb-posix::define-call "prctl" int minusp (option int) (arg int)) (sb-posix:prctl +PR_SET_KEEPCAPS+ 1)
(sb-posix:setresgid gid gid gid) (sb-posix:initgroups name gid) (sb-posix:setresuid uid uid uid))
(load-shared-object (find-if #'probe-file '("/lib/libcap.so.2" "/lib/libcap.so")))
(sb-posix::define-call "cap_from_text" (* char) null-alien (text c-string)) (sb-posix::define-call "cap_set_proc" int minusp (cap_p (* char))) (sb-posix::define-call "cap_free" int minusp (cap_p (* char)))
(let ((cap_p (sb-posix:cap-from-text "CAP_NET_BIND_SERVICE=ep"))) (sb-posix:cap-set-proc cap_p) (sb-posix:cap-free cap_p))
(hunchentoot:start (make-instance 'hunchentoot:acceptor :port 80))
I use this code for run http://lisper.ru/ Required libcap2. Tested on Debian and Gentoo.
Full script: http://github.com/archimag/rulisp/blob/devel/rulisp-daemon.lisp http://lisper.ru/apps/format/15 Andrey
2009/10/16 Christoph Senjak christoph.senjak@googlemail.com
Hello.
As I am really annoyed by the confusing configuration-"possibilities" of apache, and as lighttpd doesnt support what I want to do in its stable release, I want to run hunchentoot in the first place. However, there are two problems:
At first, I cannot run a usermode-process listening on port 80. I am using sbcl, so I could use sb-posix:setuid after starting hunchentoot and gaining port 80, removing root-privileges. Or I could forward port 80 to port 8000 via firewall policies.
I would prefer the first possibility. The question is, if there is anything millitating against starting hunchentoot as root and then using setuid. I.e. any security issues that could result from it, anything that maybe wont work, etc.
Another thing is the question if there is some proxy- or passthrough-module for hunchentoot. I still have some php-pages I want to host (even though I will use lighttpd rather than apache for this), and would therefore need to pass them to another server in the background.
Regards, Christoph Senjak
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel