Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

added support/docs for authbind/privbind

git-svn-id: https://erlyaws.svn.sourceforge.net/svnroot/erlyaws/trunk/yaws@1303 9fbdc01b-0d2c-0410-bfb7-fb27d70d8b52
  • Loading branch information...
commit d468e0db4ecaf02a282f8c1cb673228897ec262f 1 parent 572162c
@klacke authored
View
21 src/yaws.erl
@@ -37,7 +37,7 @@
eat_crnl/2, get_chunk_num/2, get_chunk/4,
list_to_uue/1, uue_to_list/1, printversion/0,
strip_spaces/1, strip_spaces/2,
- month/1, mk2/1,
+ month/1, mk2/1, home/0,
arg_rewrite/1, to_lowerchar/1, to_lower/1, funreverse/2, is_prefix/2,
split_sep/2, accepts_gzip/2, upto_char/2, deepmap/2,
ticker/2, ticker/3]).
@@ -2099,16 +2099,19 @@ tmpdir() ->
PathTEMP
end;
_ ->
- %% This feature is useable together with
- %% privbind and authbind on linux
- case os:getenv("YAWSHOME") of
- false ->
- filename:join([os:getenv("HOME"), ".yaws"]);
- DIR ->
- filename:join([DIR, ".yaws"])
- end
+ filename:join([home(), ".yaws"])
end.
+%% This feature is useable together with
+%% privbind and authbind on linux
+
+home() ->
+ case os:getenv("YAWSHOME") of
+ false ->
+ os:getenv("HOME");
+ DIR ->
+ DIR
+ end.
id_dir(Id) ->
filename:join([tmpdir(), "yaws", to_list(Id)]).
View
2  src/yaws_config.erl
@@ -34,7 +34,7 @@ paths() ->
{ok, "0"} -> %% root
[yaws_generated:etcdir() ++ "/yaws.conf"];
_ -> %% developer
- [filename:join([os:getenv("HOME"), "yaws.conf"]),
+ [filename:join([yaws:home(), "yaws.conf"]),
"./yaws.conf",
yaws_generated:etcdir() ++ "/yaws.conf"]
end.
View
1  www/TAB.inc
@@ -55,6 +55,7 @@ PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<div class="%%soap_intro%%"> <a href="/soap_intro.yaws">SOAP with Yaws</a></div>
<div class="%%yapp_intro%%"> <a href="/yapp_intro.yaws">Yaws applications</a></div>
<div class="%%cgi%%"> <a href="/cgi.yaws">CGI</a></div>
+<div class="%%privbind%%"> <a href="/privbind.yaws">Binding to priviliged ports</a></div>
<h4> Misc </h4>
<div class="%%internals%%"> <a href="/internals.yaws">Internals</a> </div>
View
148 www/privbind.yaws
@@ -0,0 +1,148 @@
+
+<erl>
+out(A) ->
+ {ssi, "TAB.inc", "%%",[{"privbind", "choosen"}]}.
+</erl>
+
+
+<div id="entry">
+
+<h1>Binding to priviliged ports</h1>
+
+<p>
+ A common misfeature found on UN*X operating systems is the
+ restriction that only root can bind to ports below 1024.
+ Many a dollar has been wasted on workarounds and -often- the results are
+ security holes.
+
+</p>
+<p>
+ Both FreeBSD and Solaris have elegant configuration options to
+ turn this feature off. On FreeBSD:
+
+<div class="box">
+ <verbatim>
+ $ sysctl net.inet.ip.portrange.reservedhigh=0
+ </verbatim>
+</div>
+
+the above is best added to your /etc/sysctl.conf
+</p>
+<p>
+ Similarly on Solaris we can just configure away this misfeature.
+ Assuming we want to run Yaws/SSL under a non-root user "erlang" on
+ ports 80/443.
+</p>
+<p>
+ On Solaris we can do that easily by granting the specific right to bind
+ privileged ports <1024 (and only that) to "erlang" using:
+</p>
+
+<div class="box">
+ <verbatim>
+$ /usr/sbin/usermod -K defaultpriv=basic,net_privaddr erlang
+ </verbatim>
+</div>
+
+<p>
+And check the we get what we want through:
+</p>
+
+
+<div class="box">
+ <verbatim>
+$ grep erlang /etc/user_attr
+erlang::::type=normal;defaultpriv=basic,net_privaddr
+
+ </verbatim>
+</div>
+
+
+<p>
+ Linux doesn't have anything like the above. There are a couple
+ of options on Linux. The best is to use an auxiliary program
+ like authbind <em>http://packages.debian.org/stable/authbind</em>
+ or privbind <em>http://sourceforge.net/projects/privbind/</em>
+</p>
+<p>
+ These programs are run by root. Yaws writes its temporary
+ JIT compiled files in $HOME/.yaws and this doesn't work that
+ well with authbind/privbind. A non root user will try to
+ write in /root/.yaws. The solution to this is to set the
+ environment variable YAWSHOME. Yaws will then consider that to
+ be HOME rather that $HOME.
+</p>
+<p>
+ To start yaws under e.g authbind we can do:
+</p>
+
+
+<div class="box">
+ <verbatim>
+$ sudo YAWSHOME=/tmp/abc privbind -u klacke /home/klacke/bin/yaws \
+ -c /home/klacke/yaws.conf -i
+
+ </verbatim>
+</div>
+
+<p>
+ The above command starts yaws as user <em>klacke</em> and bind
+ to ports below 1024
+</p>
+
+<p>
+ Yet another option is to is to install fdsrv which is a standalone
+ program that has the suid bit set, binds priviliged ports and passes
+ the filedescriptor to yaws. I have made a package out of the jungerl
+ code that can be easily installed just through the usual cycle of
+ make && make install The code is at
+</p>
+<pre>
+http://yaws.hyber.org/download/fd_server-2.3.0.tgz
+</pre>
+<p>
+ One major drawback with fdsrv is that it doesn't work for SSL. With
+ the case of SSL, one possible solution is to put ssltunnel in
+ front of yaws and let yaws bind to 127.0.0.1
+</p>
+<p>
+ All in all the fdsrv option is much worse that the authbind option.
+</p>
+
+<p>
+
+Yet another (more complicated way) for linux users is to hack the kernel.
+Here is a patch I did for some version of the 2.6 series kernels .. you get the idea.
+</p>
+
+
+<verbatim>
+[root@lax]ipv4 > diff -c af_inet.c*
+*** af_inet.c Wed Feb 23 23:31:35 2005
+--- af_inet.c~ Thu Feb 17 18:13:13 2005
+***************
+*** 423,434 ****
+
+ snum = ntohs(addr->sin_port);
+ err = -EACCES;
+- #if 0
+- /* removed by klacke */
+ if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+ goto out;
+- #endif
+-
+
+ /* We keep a pair of addresses. rcv_saddr is the one
+ * used by hash lookups, and saddr is used for transmit.
+--- 423,430 ----
+</verbatim>
+
+
+
+
+
+<erl>
+out(A) -> {ssi, "END2",[],[]}.
+</erl>
+
+
Please sign in to comment.
Something went wrong with that request. Please try again.