perlbal daemon runas user

10 views
Skip to first unread message

Greg Denton

unread,
Oct 13, 2008, 4:31:16 PM10/13/08
to per...@googlegroups.com
This is kindofa newbie question: is there any way to run as a user
other than root? I think there is a permissions problem listening on
port 443 if not started as root.

Thanks.

Martin Atkins

unread,
Oct 13, 2008, 5:02:48 PM10/13/08
to per...@googlegroups.com

It sounds like what you're asking for is for Perlbal to start as root
and then switch to another user, similarly to what Apache does.

The problem is that unlike Apache Perlbal runs in a single process, so
if it switched to another user after startup it would become impossible
to use management commands to dynamically change the listening ports at
runtime. However, I guess rebinding listen ports at runtime isn't done
that frequently. It'd presumably be possible to write a plugin to add a
new management command to change userid at runtime if someone was so
inclined.

For now, if your goal is to get Perlbal listening on port 443 while
having it not run as root, one option would be to use something like
netfilter or maybe xinetd to forward stuff on port 443 to a Perlbal
running on the loopback interface on a high port number.


Greg Denton

unread,
Oct 13, 2008, 5:18:16 PM10/13/08
to per...@googlegroups.com
Martin, Thanks for the reply. Guess I need to think about it some more
before changing my setup. I assumed running as root would introduce
"unacceptable" (for some definition thereof) security risks, is this
not the case?

Mark Smith

unread,
Oct 13, 2008, 5:26:41 PM10/13/08
to per...@googlegroups.com
> Martin, Thanks for the reply. Guess I need to think about it some more
> before changing my setup. I assumed running as root would introduce
> "unacceptable" (for some definition thereof) security risks, is this
> not the case?

Only you can define what is or is not 'acceptable risk'. Many people
run Perlbal in production environments as root and don't have any
problems. However, if your requirements are more stringent, then this
may of course be a problem for you.

At any rate, Perlbal runs as root and is not currently able to drop
privileges. We talked about it some but never got around to
implementing it. A patch would definitely be accepted.


--
Mark Smith / xb95
smi...@gmail.com

Greg

unread,
Nov 13, 2008, 6:51:00 PM11/13/08
to perlbal

Maybe setting up a chroot environment would mitigate some risk?

Ask Bjørn Hansen

unread,
Nov 26, 2008, 5:03:58 PM11/26/08
to perlbal
Just make your load balancer or firewall rules (on the server itself)
forward port 443 to port 8443 (or whatever).

- ask

--
http://develooper.com/
Reply all
Reply to author
Forward
0 new messages