I'm using ht with debian sbcl / clc.
Currently the s-bit is set to start sbcl as root, for using port 80. But when i set uid back to <user> I got problems with clc as the fasl files had a different (root) owner. Even a brute force chmod 0777 of the fasls has no success. The clc stops with "security... more than one user has write access".
Now I start hunchentoot with 8080 and use iptables to map port 80 to 8080.
How do you solve this problem. A nice thing would be to setuid to root, access the port 80 and setuid back, but here I failed :-(.
Helmut
PS: <off topic but perhaps useful> Currently sbcl is broken unter debian sid amd64, you have to downgrade the libc6 (libc6-i368 libc6-dev libc6-dev-i386) back to version 2.7-8 (snapshot.debian.org)
If I remember there are problems with IP ports < 1024 and a user different from root.
kiuma
On Tue, Mar 18, 2008 at 5:50 PM, Dr. Helmut G. Enders < helmut@cybernetic-systems.de> wrote:
I'm using ht with debian sbcl / clc.
Currently the s-bit is set to start sbcl as root, for using port 80. But when i set uid back to <user> I got problems with clc as the fasl files had a different (root) owner. Even a brute force chmod 0777 of the fasls has no success. The clc stops with "security... more than one user has write access".
Now I start hunchentoot with 8080 and use iptables to map port 80 to 8080.
How do you solve this problem. A nice thing would be to setuid to root, access the port 80 and setuid back, but here I failed :-(.
Helmut
PS:
<off topic but perhaps useful> Currently sbcl is broken unter debian sid amd64, you have to downgrade the libc6 (libc6-i368 libc6-dev libc6-dev-i386) back to version 2.7-8 (snapshot.debian.org)
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
On Mar 18, 2008, at 1:50 PM, Dr. Helmut G. Enders wrote:
I'm using ht with debian sbcl / clc.
Currently the s-bit is set to start sbcl as root, for using port 80.
One approach to this problem is write a very small C program that.
1. listens on the port 2. records listener's file description into an environment variable(s) 3. execs a command given it's remaining arguments.
Combined with other tools found in daemontools you can then drop rights, switch users, etc. and finally invoke the actual Lisp process. This plays well with jails etc.
The C program is easier to write, at least easier than the bit that converts the file handle into something useful for your Lisp process.
- ben
Ben Hyde wrote:
One approach to this problem is write a very small C program that.
- listens on the port
- records listener's file description into an environment variable(s)
- execs a command given it's remaining arguments.
Combined with other tools found in daemontools you can then drop rights, switch users, etc. and finally invoke the actual Lisp process. This plays well with jails etc.
The C program is easier to write, at least easier than the bit that converts the file handle into something useful for your Lisp process.
- ben
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
Thanks, but in the meantime (google..google) I found privbind.
I chmod u+s /usr/bin/privbind and add
(setq inferior-lisp-program "/usr/bin/privbind -u helmut -g helmut /usr/bin/sbcl")
to my .emacs
and add screen -t Hunchentoot emacs -f slime to my .screenrc
and add (require 'hunchentoot) (hunchentoot:start-server :port 80 :address <ip of eth0:1>) to my .sbclrc
:-) and add sudo -H -u helmut screen -d -m to my /etc/init.d/screens
.... even after an reboot I login (or ssh to the server), do a screen -r .... and be happy.
(Now my server has many eth0:x's with many hunchentoolies, listening all on port 80 :-)
Helmut
-
Andrea Chiumenti -
Ben Hyde -
Dr. Helmut G. Enders