> I am using sbcl, so I could use sb-posix:setuid after starting hunchentoot<br>> and gaining port 80, removing root-privileges.<br><br><span style="font-family: courier new,monospace;">(sb-posix::define-call "initgroups" int minusp (user c-string) (group sb-posix::gid-t))</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">(sb-posix::define-call "prctl" int minusp (option int) (arg int))</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">(sb-posix:prctl +PR_SET_KEEPCAPS+ 1)</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">(sb-posix:setresgid gid gid gid)</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">(sb-posix:initgroups name gid)</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">(sb-posix:setresuid uid uid uid))</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">(load-shared-object (find-if #'probe-file</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> '("/lib/libcap.so.2" "/lib/libcap.so")))</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">(sb-posix::define-call "cap_from_text" (* char) null-alien (text c-string))</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">(sb-posix::define-call "cap_set_proc" int minusp (cap_p (* char)))</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">(sb-posix::define-call "cap_free" int minusp (cap_p (* char)))</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">(let ((cap_p (sb-posix:cap-from-text "CAP_NET_BIND_SERVICE=ep")))</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> (sb-posix:cap-set-proc cap_p)</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> (sb-posix:cap-free cap_p))</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">(hunchentoot:start (make-instance 'hunchentoot:acceptor :port 80))</span><br style="font-family: courier new,monospace;">
<br>I use this code for run <a href="http://lisper.ru/">http://lisper.ru/</a> Required libcap2. Tested on Debian and Gentoo. <br><br>Full script: <a href="http://github.com/archimag/rulisp/blob/devel/rulisp-daemon.lisp">http://github.com/archimag/rulisp/blob/devel/rulisp-daemon.lisp</a> <br>
<a href="http://lisper.ru/apps/format/15" target="_blank"></a><br>Andrey<br><br><div class="gmail_quote">2009/10/16 Christoph Senjak <span dir="ltr"><<a href="mailto:christoph.senjak@googlemail.com" target="_blank">christoph.senjak@googlemail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello.<br>
<br>
As I am really annoyed by the confusing configuration-"possibilities"<br>
of apache, and as lighttpd doesnt support what I want to do in its<br>
stable release, I want to run hunchentoot in the first place. However,<br>
there are two problems:<br>
<br>
At first, I cannot run a usermode-process listening on port 80. I am<br>
using sbcl, so I could use sb-posix:setuid after starting hunchentoot<br>
and gaining port 80, removing root-privileges. Or I could forward port<br>
80 to port 8000 via firewall policies.<br>
<br>
I would prefer the first possibility. The question is, if there is<br>
anything millitating against starting hunchentoot as root and then<br>
using setuid. I.e. any security issues that could result from it,<br>
anything that maybe wont work, etc.<br>
<br>
Another thing is the question if there is some proxy- or<br>
passthrough-module for hunchentoot. I still have some php-pages I want<br>
to host (even though I will use lighttpd rather than apache for this),<br>
and would therefore need to pass them to another server in the<br>
background.<br>
<br>
Regards,<br>
Christoph Senjak<br>
<br>
_______________________________________________<br>
tbnl-devel site list<br>
<a href="mailto:tbnl-devel@common-lisp.net" target="_blank">tbnl-devel@common-lisp.net</a><br>
<a href="http://common-lisp.net/mailman/listinfo/tbnl-devel" target="_blank">http://common-lisp.net/mailman/listinfo/tbnl-devel</a><br>
</blockquote></div><br>