Running as non-root user in UNIX environments |
Top Previous Next |
Solaris 10 and above systems
If you are running under Solaris 10 or above then you may run as non-root using the provided example SMF script. Please see the following topic for details.
Auto-starting in Solaris 10 environments
Solaris 9 and Linux/UNIX systems
The simplest method for installing and running MFT Gateway is to do so as the root user. However in some UNIX based environments you may want or need to run MFT Gateway as a user other than root. Should you decide to go this route there are certain issues to consider when installing and configuring MFT Gateway.
Filesystem permissions
When running MFT Gateway as a non-root system user ensure that this user is granted full access to the MFT Gateway installation directory and all sub-directories.
Port redirection
As a general rule, UNIX based (Linux, Solaris, Mac OS X) programs that bind to ports less than 1024 must be run as root user. For example, the standard port for FTP is port 21 requiring that you run MFT Gateway as root user in order to bind and listen on this port for incoming requests. One solution that gets you around this restriction is to have your server run on ports > 1024. For example, you might set your reverse proxy FTP service to run on port 2121 instead of port 21 in order to be able to run MFT Gateway as a non-root user. There may however be a case where you want to be able to run MFT Gateway as a non-root user while also using ports less than 1024. The two methods available are Port redirection using xinetd and Port redirection using iptables which are discussed below.
Port redirection using xinetd
The xinetd Internet service daemon is installed on most UNIX based systems and offers a feature that allows for port redirection. Using this port redirection feature you could for example redirect incoming requests on port 21 to port 2121 thus allowing you to run your reverse proxy FTP service as a non-root user on port 2121 while still being able to accept redirected requests from port 21. To setup xinetd to perform this redirection go to your /etc/xinetd.d directory and create a new service configuration file named mftgateway (as root user) the contents of which are displayed below.
# Redirects any requests on port 21
# to port 2121 (where MFT Gateway is listening)
service mftgateway
{
socket_type = stream
protocol = tcp
user = root
wait = no
port = 21
redirect = localhost 2121
disable = no
}
Next you will need to restart the xinetd service to load this service. On most UNIX based systems this can be done by issuing the following command.
/sbin/service xinetd restart
You will now be able to accept requests on port 21 which are then redirected to your listening port of 2121. By leaving the mftgateway service configuration file in the /etc/xinetd.d directory this redirection will automatically take place whenever you restart your system.
Port redirection using iptables
A solution available in systems running Linux kernel 2.4 and above is to use iptables. iptables offers the same approach as xinetd but with less process overhead since iptables is compiled into the kernel rather than running as a separate process. To see if iptables is running on your system run the following command as root user.
/sbin/service iptables status
If it is running you will see a list of tables displayed to the console.
Using our original example, create a new redirection rule that will redirect incoming requests on port 21 to port 2121 by issuing the following command as root user.
/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 21:21 --to-ports 2121
This will redirect port requests until you restart your system. To ensure that this rule is used after a system restart save the rule by issuing the following command as root user.
/sbin/service iptables save
See also
Auto-starting in Linux and Solaris 9 environments Auto-starting in Solaris 10 environments |