Running as non-root user in Linux/UNIX environments

Solaris 10 and above systems

 

If you are running Solaris 10 or above, then you may run as non-root using the provided example SMF script.  Please see the following topic for details.

 

Auto-start in Solaris 10 environments

 

Solaris 9 and Linux/UNIX systems

 

The simplest method for installing and running MFT Server is to do so as the root user.  However in some UNIX based environments you may want or need to run MFT Server as a user other than root.  Should you decide to go this route there are certain issues to consider when installing and configuring MFT Server.

 

Filesystem permissions

 

When running MFT Server as a non-root system user, ensure the user has user or group level permissions granting them full access to the virtual directories that you define for your MFT Server users. Additionally, this user should be granted full access to the MFT Server installation directory, logging directory, user datastore directory and all supporting files within these directories.

 

Port redirection

 

As a general rule, UNIX based (Linux, Solaris, Mac OS X) programs that bind to ports  less than 1024 must be run as the root user.  For example, the standard port for FTP is 21, which requires you run MFT Server as the root user in order to bind and listen on this port for incoming requests.

 

One workaround is to use ports > 1024. For example, you can set your FTP service to run on port 2121 instead of port 21. 

 

Alternatively, you may still want to run MFT Server as a non-root user while using ports < 1024. The two methods are available for managing port redirection: using systemd/firewalld/nftables or using xinetd (typically used when systemd is not running in your environment).

 

Port redirection using systemd/firewalld/nftables

 

To see if nftables is running on your system, execute the command below.

 

sudo systemctl status nftables

 

If nftables rules have been successfully loaded, you will often see a status like active (exited). This means the service unit ran, loaded the rules, and then exited, which is normal for nftables.

 

Below are commands used for forwarding ports. Note: Permanent means the change is persistent across reboots.

 

# Redirect FTP (port 21 → 2121)

 

sudo firewall-cmd --permanent --add-forward-port=port=21:proto=tcp:toport=2121

 

# Redirect FTPS (port 990 → 2122)

 

sudo firewall-cmd --permanent --add-forward-port=port=990:proto=tcp:toport=2122

 

# Apply changes

 

sudo firewall-cmd --reload

 

This command applies the permanent firewall configuration that has been set using --permanent. It does this without disrupting existing connections. After running this command, the new port forwarding rules are active.

 

Port redirection using xinetd

 

This option is suggested if you are not running systemd on your Unix/Linux system. The xinetd Internet service daemon includes a feature that allows for port redirection. Using this port redirection feature, you can (for example) redirect incoming requests on port 21 to port 2121. This lets you run your FTP service as a non-root user on port 2121, while still being able to accept redirected requests from port 21. To perform this redirection using xinetd, go to your /etc/xinetd.d directory and create a new service configuration file named jscape (as root user), for which the contents are displayed below.

 

# Redirects any requests on port 21

# to port 2121 (where MFT Server is listening)

service jscape

{

socket_type = stream

protocol = tcp

user = root

wait = no

port = 21

redirect = localhost 2121

disable = no

}

 

Next, restart the xinetd service to load it. On most UNIX-based systems, this is done by issuing the following command.

 

/sbin/service xinetd restart

 

You can now accept requests on port 21. They are redirected to your listening port 2121.  By storing the jscape service configuration file in the /etc/xinetd.d directory, this redirection automatically takes place when the system is restarted.