Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[dsdp-tm-dev] Dstore to use privileged ports for serverPortRange

We would like the dstore SERVER to listen on the privileged port.  Since
the daemon runs as root it can already listen on a privileged port.

We started looking again at calling setuid from within the server
process as we determined we can permanently drop privileges but now we
are having issues with calling the .profile and being able to export the
user's environment.  How does RSE send commands to the remote system?
Does it open a shell and manipulate standard input and output of the
shell?  We are working with AIX as the remote system and we are required
to encrypt our data using SSL.

As for the suggestions you made, they sound very interesting and I can
research those as well.  I'm not all that experienced with these
protocols so if you have some more detail you could give, that would be
very appreciated.  I'm not quite sure how an external program would
communicate with the local RSE client along with funneling the data to
the remote server.


Denise Schmidt 


Message: 1
Date: Thu, 9 Jul 2009 14:43:41 +0200
From: "Oberhuber, Martin" <Martin.Oberhuber@xxxxxxxxxxxxx>
Subject: RE: [dsdp-tm-dev] Dstore to use privileged ports for
To: "Target Management developer discussions"
Content-Type: text/plain; charset="us-ascii"

Do you want the dstore SERVER or the DAEMON to listen on the privileged
What if you use an external program to listen on the privileged port and
relay its communication?
In the simplest case, you could use netcat (nc), a little bit more
advanced is socat; or, you 
have an sshd daemon listen and open ssh tunnels throug it; or, you have
a SOCKS proxy
running and relay its ports.
Martin Oberhuber, Senior Member of Technical Staff, Wind River
Target Management Project Lead, DSDP PMC Member


	From: dsdp-tm-dev-bounces@xxxxxxxxxxx
[mailto:dsdp-tm-dev-bounces@xxxxxxxxxxx] On Behalf Of Schmidt, Denise
	Sent: Montag, 06. Juli 2009 23:02
	To: dsdp-tm-dev@xxxxxxxxxxx
	Subject: [dsdp-tm-dev] Dstore to use privileged ports for

	We are interested in modifying Dstore to allow the
serverPortRange to use privileged ports (<1024).  I had posted a
newsgroup question about this and now we're looking at how we could make
changes for this.


	We were first looking at starting the
org.eclipse.dstore.core.server.Server method as root and then calling
the native Unix setuid to change the effective user ID to that of the
client.  But after thinking more about it, there is the possibility that
the user could execute something that would setuid the process back to
root and then they would have authority on the remote system they should
not have.

	So now we are looking at possibly splitting the server
functionality into separate processes, one that runs as root and
communicates over the network and one that runs as the client user ID
and does all the "real" work on the remote system.  The 2 processes
would have to communicate data between them.  I've been looking over the
Dstore source code to see how easy that separation might be.  

	Does this solution sound reasonable?  Is there another, possibly
better solution we haven't thought of?

	Any suggestions or things we should consider while tackling this
are appreciated.  We'd like to work this out so that we could contribute
our changes back.


	Denise Schmidt

Back to the top