> I am using sbcl, so I could use sb-posix:setuid after starting hunchentoot
> and gaining port 80, removing root-privileges.

(sb-posix::define-call "initgroups" int minusp (user c-string) (group sb-posix::gid-t))
(sb-posix::define-call "prctl" int minusp (option int) (arg int))
(sb-posix:prctl +PR_SET_KEEPCAPS+ 1)

(sb-posix:setresgid gid gid gid)
(sb-posix:initgroups name gid)
(sb-posix:setresuid uid uid uid))

(load-shared-object (find-if #'probe-file
                             '("/lib/libcap.so.2" "/lib/libcap.so")))

(sb-posix::define-call "cap_from_text" (* char) null-alien (text c-string))
(sb-posix::define-call "cap_set_proc" int minusp (cap_p (* char)))
(sb-posix::define-call "cap_free" int minusp (cap_p (* char)))

(let ((cap_p (sb-posix:cap-from-text "CAP_NET_BIND_SERVICE=ep")))
  (sb-posix:cap-set-proc cap_p)
  (sb-posix:cap-free cap_p))

(hunchentoot:start (make-instance 'hunchentoot:acceptor :port 80))

I use this code for run http://lisper.ru/  Required libcap2. Tested on Debian and Gentoo.

Full script: http://github.com/archimag/rulisp/blob/devel/rulisp-daemon.lisp

Andrey

2009/10/16 Christoph Senjak <christoph.senjak@googlemail.com>
Hello.

As I am really annoyed by the confusing configuration-"possibilities"
of apache, and as lighttpd doesnt support what I want to do in its
stable release, I want to run hunchentoot in the first place. However,
there are two problems:

At first, I cannot run a usermode-process listening on port 80. I am
using sbcl, so I could use sb-posix:setuid after starting hunchentoot
and gaining port 80, removing root-privileges. Or I could forward port
80 to port 8000 via firewall policies.

I would prefer the first possibility. The question is, if there is
anything millitating against starting hunchentoot as root and then
using setuid. I.e. any security issues that could result from it,
anything that maybe wont work, etc.

Another thing is the question if there is some proxy- or
passthrough-module for hunchentoot. I still have some php-pages I want
to host (even though I will use lighttpd rather than apache for this),
and would therefore need to pass them to another server in the
background.

Regards,
Christoph Senjak

_______________________________________________
tbnl-devel site list
tbnl-devel@common-lisp.net
http://common-lisp.net/mailman/listinfo/tbnl-devel