Running as non-root user in Linux/UNIX environments

Running as non-root on Solaris 10 and above

 

If you are running Solaris 10 or above, then you may run as non-root using the provided example SMF script.  Please see the following topic for details.

 

Auto-start in Solaris 10 environments

 

Running as non-root on Solaris 9 and Linux/UNIX

 

Running MFT Server as a non-root user ( Creating a non-root user) is considered a best practice, to reduce security risks. When running as a non-root user, there are things to consider when installing and configuring MFT Server. They are described below.

 

File system permissions

 

When running MFT Server as a non-root user, ensure:

 

  • The non-root user has user or group-level permissions granting them full access to the virtual directories ( Defining virtual paths) that you define for your MFT Server users.

     

  • The non-root user has ownership of the installation directory. See the example command below.

 

sudo chown -R jscape:jscape /opt/mft_server (where /opt/mft_server is the default installation directory, and jscape is the non-root user name).

 

  • The non-root user is granted full rights to the MFT Server installation directory. See the example command below:

     

    sudo chmod -R 700 /opt/mft_server

     

  • The non-root user is granted full access to the logging directory, user datastore directory and all supporting files within these directories.

     

Port redirection

 

As a general rule, UNIX based (Linux, Solaris, Mac OS X) programs that bind to ports  less than 1024 must be run as the root user.  For example, the standard port for FTP is 21, which requires you run MFT Server as the root user in order to bind and listen on this port for incoming requests.

 

One workaround, when running as a non-root user, is to use ports > 1024. For example, you can set your FTP service to run on port 2121 instead of port 21. 

 

Alternatively, you may still want to run MFT Server as a non-root user while using ports < 1024. The two methods are available for managing port redirection: using systemd/firewalld/nftables or using xinetd (typically used when systemd is not running in your environment).

 

Port redirection using systemd/firewalld/nftables

 

To see if nftables is running on your system, execute the command below.

 

sudo systemctl status nftables

 

If nftables rules have been successfully loaded, you will often see a status like active (exited). This means the service unit ran, loaded the rules, and then exited, which is normal for nftables.

 

Below are commands used for forwarding ports. Note: Permanent means the change is persistent across reboots.

 

# Redirect FTP (port 21 → 2121)

 

sudo firewall-cmd --permanent --add-forward-port=port=21:proto=tcp:toport=2121

 

# Redirect FTPS (port 990 → 2122)

 

sudo firewall-cmd --permanent --add-forward-port=port=990:proto=tcp:toport=2122

 

# Apply changes

 

sudo firewall-cmd --reload

 

This command applies the permanent firewall configuration that has been set using --permanent. It does this without disrupting existing connections. After running this command, the new port forwarding rules are active.

 

Port redirection using xinetd

 

This option is suggested if you are not running systemd on your Unix/Linux system. The xinetd Internet service daemon includes a feature that allows for port redirection. Using this port redirection feature, you can (for example) redirect incoming requests on port 21 to port 2121. This lets you run your FTP service as a non-root user on port 2121, while still being able to accept redirected requests from port 21. To perform this redirection using xinetd, go to your /etc/xinetd.d directory and create a new service configuration file named jscape (as root user), for which the contents are displayed below.

 

# Redirects any requests on port 21

# to port 2121 (where MFT Server is listening)

service jscape

{

socket_type = stream

protocol = tcp

user = root

wait = no

port = 21

redirect = localhost 2121

disable = no

}

 

Next, restart the xinetd service to load it. On most UNIX-based systems, this is done by issuing the following command.

 

/sbin/service xinetd restart

 

You can now accept requests on port 21. They are redirected to your listening port 2121.  By storing the jscape service configuration file in the /etc/xinetd.d directory, this redirection automatically takes place when the system is restarted.

 

Creating a non-root user

 

Create a dedicated non-root user as follows:

 

sudo useradd -m -d /opt/mft_server -s /bin/bash jscape

 

-m: Creates a home directory (/opt/mft_server).

-d /opt/mft_server: Specifies the home directory

-s /bin/bash: Sets Bash as the default shell.

 

jscape is the account name (you can name it something different, if desired).

 

Set a password for the user:

 

sudo passwd jscape

 

Ensure the system is up-to-date:

 

sudo yum update -y