Details
-
Type:
Improvement
-
Status:
Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 6.1.11
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:Solaris 10
-
Patch Submitted:Yes
-
Number of attachments :
Description
Solaris 10 a feature that enable better service management, when running over privileged ports (80 and 443) with non-root credentials
- This improvement enables non-root user to bind to privileged ports (80 and 443)
- Note that there is no need to use the setuid jetty provides.
- If the process die for some unknown reason, SMF facility restarts it
- Also, this improvement has a SMF script to enable native solaris management, by using svcadm and svcs utilities.
There are 2 patches.
1. jetty.sh.diff is self explanatory
2. jetty.xml is the SMF file
- More information about SMF
http://www.sun.com/bigadmin/content/selfheal/sdev_intro.jsp
http://www.sun.com/bigadmin/features/articles/smf_example.jsp
http://trac.lighttpd.net/trac/wiki/LighttpdOnSolaris
http://blogs.sun.com/bobn/entry/securing_mysql_using_smf_the
http://www.sun.com/blueprints/0605/819-2887.pdf
- More SMF files
http://www.blastwave.org/smf/manifests.php
http://opensolaris.org/os/community/smf/manifests/
Instructions
1. as root copy jetty.xml to /var/svc/manifest/network/
2. Modify the non-root user to start the jetty server, modify the jetty path as well
vi +55 /var/svc/manifest/network/jetty.xml
3. import the smf service
svccfg -v import /var/svc/manifest/network/jetty.xml
4. Validate
svccfg validate /var/svc/manifest/network/jetty.xml
5. start
svcadm enable svc:/network/http:jetty
6. stop
svcadm enable svc:/network/http:jetty
7. check state
svcs -a |grep jett online 17:41:56 svc:/network/http:jetty
Enable non-root user to bind to privileged ports (this is only useful if start/stoping jetty by using jetty.sh)
usermod -K defaultpriv=basic,net_privaddr USERNAME
Where USERNAME is the desired username
This has been working
Solaris 10
JDK 6u7
Jetty 6.11
