Running as non-root user in UNIX environments

Solaris 10 and above systems

 

If you are running under Solaris 10 or above then you may run as non-root using the provided example SMF script.  Please see the following topic for details.

 

Auto-starting in Solaris 10 environments

 

Solaris 9 and Linux/UNIX systems

 

The simplest method for installing and running MFT Server is to do so as the root user.  However in some UNIX based environments you may want or need to run MFT Server as a user other than root.  Should you decide to go this route there are certain issues to consider when installing and configuring MFT Server.

 

Filesystem permissions

 

When running MFT Server as a non-root system user ensure that this user has user or group level permissions granting them full access to the virtual directories that you define for your MFT Server users. Additionally this user should be granted full access to the MFT Server installation directory, logging directory, user datastore directory and all supporting files within these directories.

 

Port redirection

 

As a general rule, UNIX based (Linux, Solaris, Mac OS X) programs that bind to ports  less than 1024 must be run as root user.  For example, the standard port for ftp is port 21 requiring that you run MFT Server as root user in order to bind and listen on this port for incoming requests. One solution that gets you around this restriction is to have your server run on ports > 1024. For example, you might set your ftp service to run on port 2121 instead of port 21 in order to be able to run MFT Server as a non-root user.  There may however be a case where you want to be able to run MFT Server as a non-root user while also using ports less than 1024. The two methods available are Port redirection using xinetd and Port redirection using iptables which are discussed below.

 

Port redirection using xinetd

 

The xinetd Internet service daemon is installed on most UNIX based systems and offers a feature that allows for port redirection.  Using this port redirection feature you could for example redirect incoming requests on port 21 to port 2121 thus allowing you to run your ftp service as a non-root user on port 2121 while still being able to accept redirected requests from port 21. To setup xinetd to perform this redirection go to your /etc/xinetd.d directory and create a new service configuration file named jscape (as root user) the contents of which are displayed below.

 

# Redirects any requests on port 21

# to port 2121 (where MFT Server is listening)

service jscape

{

socket_type = stream

protocol = tcp

user = root

wait = no

port = 21

redirect = localhost 2121

disable = no

}

 

Next you will need to restart the xinetd service to load this service. On most UNIX based systems this can be done by issuing the following command.

 

/sbin/service xinetd restart

 

You will now be able to accept requests on port 21 which are then redirected to your listening port of 2121.  By leaving the jscape service configuration file in the /etc/xinetd.d directory this redirection will automatically take place whenever you restart your system.

 

Port redirection using iptables

 

A solution available in systems running Linux kernel 2.4 and above is to use iptables.  iptables offers the same approach as xinetd but with less process overhead since iptables is compiled into the kernel rather than running as a separate process.  To see if iptables is running on your system run the following command as root user.

 

/sbin/service iptables status

 

If it is running you will see a list of tables displayed to the console.

 

Using our original example, create a new redirection rule that will redirect incoming requests on port 21 to port 2121 by issuing the following command as root user.

 

/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 21:21 --to-ports 2121

 

This will redirect port requests until you restart your system.  To ensure that this rule is used after a system restart save the rule by issuing the following command as root user.

 

/sbin/service iptables save

 

See also

 

Auto-starting in Linux and Solaris 9 environments