Hi
Yesterday I tried to run hunchentoot on port 80 for the first time, but a get a "Permission Denied" error when hunchentoot tries to bind to port 80. Between the #ubuntu and #lisp guys we established that nothing else was running on port 80 and that I was indeed running as root.
Everybody agreed that it must be that permissions gets dropped some where along the line. Searching the web regarding dropped permissions got me no where. So I was wondering if anybody else got this configuration to work on port 80 and could share their experience with me please.
I have a clean ubuntu server, no apache or anything installed. I have an in init.d script that starts up a screen session which runs swank and start up stuff to load hunchentoot etc ie swank-daemon from clwiki.
Regards Phil
Yesterday I tried to run hunchentoot on port 80 for the first time, but a get a "Permission Denied" error when hunchentoot tries to bind to port
80.
sudo setcap CAP_NET_BIND_SERVICE=ep /usr/bin/sbcl
Andrey
2009/6/19 Phil Marneweck zaries@global.co.za
Hi
Yesterday I tried to run hunchentoot on port 80 for the first time, but a get a "Permission Denied" error when hunchentoot tries to bind to port 80. Between the #ubuntu and #lisp guys we established that nothing else was running on port 80 and that I was indeed running as root.
Everybody agreed that it must be that permissions gets dropped some where along the line. Searching the web regarding dropped permissions got me no where. So I was wondering if anybody else got this configuration to work on port 80 and could share their experience with me please.
I have a clean ubuntu server, no apache or anything installed. I have an in init.d script that starts up a screen session which runs swank and start up stuff to load hunchentoot etc ie swank-daemon from clwiki.
Regards Phil
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
Thank you but setcap gives me a "operation not permitted"...but that got me stumbled onto authbind and ip tables, hopefully on of those will solve my problems.
Regards Phil
On Fri, 2009-06-19 at 11:11 +0400, Andrey Moskvitin wrote:
Yesterday I tried to run hunchentoot on port 80 for the first time,
but
a get a "Permission Denied" error when hunchentoot tries to bind to
port 80.
sudo setcap CAP_NET_BIND_SERVICE=ep /usr/bin/sbcl
Andrey
2009/6/19 Phil Marneweck zaries@global.co.za Hi
Yesterday I tried to run hunchentoot on port 80 for the first time, but a get a "Permission Denied" error when hunchentoot tries to bind to port 80. Between the #ubuntu and #lisp guys we established that nothing else was running on port 80 and that I was indeed running as root. Everybody agreed that it must be that permissions gets dropped some where along the line. Searching the web regarding dropped permissions got me no where. So I was wondering if anybody else got this configuration to work on port 80 and could share their experience with me please. I have a clean ubuntu server, no apache or anything installed. I have an in init.d script that starts up a screen session which runs swank and start up stuff to load hunchentoot etc ie swank-daemon from clwiki. Regards Phil _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
Ports below 1024 are reserved for root. You can use one by starting your process as root, listening on the port (starting Hunchentoot), and then using (setuid UID) and (setgid GID) to set the user and group ID to a non-root (you'll have to define SETUID and GETUID with a foreign function package, and you can find the UID and GID for a login in /etc/passwd). Or you could run your process as root, but that tends to be dangerous.
Most people use a reverse proxy instead. Apache supports that, via mod_proxy. Squid has a reverse proxy. And there's Pound, amongst others. See http://en.wikipedia.org/wiki/Reverse_proxy
-Bill
On Fri, Jun 19, 2009 at 4:58 AM, Phil Marneweckzaries@global.co.za wrote:
Thank you but setcap gives me a "operation not permitted"...but that got me stumbled onto authbind and ip tables, hopefully on of those will solve my problems.
Regards Phil
On Fri, 2009-06-19 at 11:11 +0400, Andrey Moskvitin wrote:
Yesterday I tried to run hunchentoot on port 80 for the first time,
but
a get a "Permission Denied" error when hunchentoot tries to bind to
port 80.
sudo setcap CAP_NET_BIND_SERVICE=ep /usr/bin/sbcl
Andrey
2009/6/19 Phil Marneweck zaries@global.co.za Hi
Yesterday I tried to run hunchentoot on port 80 for the first time, but a get a "Permission Denied" error when hunchentoot tries to bind to port 80. Between the #ubuntu and #lisp guys we established that nothing else was running on port 80 and that I was indeed running as root.
Everybody agreed that it must be that permissions gets dropped some where along the line. Searching the web regarding dropped permissions got me no where. So I was wondering if anybody else got this configuration to work on port 80 and could share their experience with me please.
I have a clean ubuntu server, no apache or anything installed. I have an in init.d script that starts up a screen session which runs swank and start up stuff to load hunchentoot etc ie swank-daemon from clwiki.
Regards Phil
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
port 80 is reserved for user root
On Fri, Jun 19, 2009 at 10:58 AM, Phil Marneweckzaries@global.co.za wrote:
Thank you but setcap gives me a "operation not permitted"...but that got me stumbled onto authbind and ip tables, hopefully on of those will solve my problems.
Regards Phil
On Fri, 2009-06-19 at 11:11 +0400, Andrey Moskvitin wrote:
Yesterday I tried to run hunchentoot on port 80 for the first time,
but
a get a "Permission Denied" error when hunchentoot tries to bind to
port 80.
sudo setcap CAP_NET_BIND_SERVICE=ep /usr/bin/sbcl
Andrey
2009/6/19 Phil Marneweck zaries@global.co.za Hi
Yesterday I tried to run hunchentoot on port 80 for the first time, but a get a "Permission Denied" error when hunchentoot tries to bind to port 80. Between the #ubuntu and #lisp guys we established that nothing else was running on port 80 and that I was indeed running as root.
Everybody agreed that it must be that permissions gets dropped some where along the line. Searching the web regarding dropped permissions got me no where. So I was wondering if anybody else got this configuration to work on port 80 and could share their experience with me please.
I have a clean ubuntu server, no apache or anything installed. I have an in init.d script that starts up a screen session which runs swank and start up stuff to load hunchentoot etc ie swank-daemon from clwiki.
Regards Phil
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
On Fri, Jun 19, 2009 at 12:30:09PM +0200, Andrea Chiumenti wrote:
port 80 is reserved for user root
I am not the OP but I would like to remind everyone that he said, in the second sentence of his first email:
Between the #ubuntu and #lisp guys we established that nothing else was running on port 80 and that I was indeed running as root.
-- L
So I was wondering if anybody else got this configuration to work on port 80 and could share their experience with me please.
http://lisper.ru/apps/format/15 - this script starts sbcl-daemon (pure lisp, without GNU Screen, detachtty and etc.), which runs hunchentoot on port 80 after the rejection of root privileges. Required libcap2. Tested on Gentoo and Debian.
Andrey
2009/6/19 Phil Marneweck zaries@global.co.za
Hi
Yesterday I tried to run hunchentoot on port 80 for the first time, but a get a "Permission Denied" error when hunchentoot tries to bind to port 80. Between the #ubuntu and #lisp guys we established that nothing else was running on port 80 and that I was indeed running as root.
Everybody agreed that it must be that permissions gets dropped some where along the line. Searching the web regarding dropped permissions got me no where. So I was wondering if anybody else got this configuration to work on port 80 and could share their experience with me please.
I have a clean ubuntu server, no apache or anything installed. I have an in init.d script that starts up a screen session which runs swank and start up stuff to load hunchentoot etc ie swank-daemon from clwiki.
Regards Phil
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
On Sep 18, 2009, at 1:39 PM, Andrey Moskvitin wrote:
So I was wondering if anybody else got this configuration to work on port 80 and could share their experience
with
me please.
http://lisper.ru/apps/format/15 - this script starts sbcl-daemon (pure lisp, without GNU Screen, detachtty and etc.), which runs hunchentoot on port 80 after the rejection of root privileges. Required libcap2. Tested on Gentoo and Debian.
Another alternative is to use iptables to route requests for port 80 to another port (8080, in my configuration). Here's my /etc/sysconfig/ iptables:
# Generated by iptables-save v1.3.5 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to :8080 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [190:23308] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 - j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4005 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4242 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Regards,
Patrick
-
Andrea Chiumenti -
Andrey Moskvitin -
Bill St. Clair -
Larry Clapp -
Patrick May -
Phil Marneweck