RE: [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

RE: [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange

From: "Oberhuber, Martin" <Martin.Oberhuber@xxxxxxxxxxxxx>
Date: Mon, 17 Aug 2009 13:05:20 +0200
Delivered-to: dsdp-tm-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/dsdp-tm-dev>
List-help: <mailto:dsdp-tm-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/dsdp-tm-dev>, <mailto:dsdp-tm-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/dsdp-tm-dev>, <mailto:dsdp-tm-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AcoAnsRidaudYoKjRQGOQIcNtzt82wAC4nJwB6AKhTA=
Thread-topic: [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange

Hi Denise,

it looks like this thread got stalled, do you still have
any open questions?

Cheers,
--
Martin Oberhuber, Senior Member of Technical Staff, Wind River
Target Management Project Lead, DSDP PMC Member
http://www.eclipse.org/dsdp/tm
 
 

> -----Original Message-----
> From: dsdp-tm-dev-bounces@xxxxxxxxxxx 
> [mailto:dsdp-tm-dev-bounces@xxxxxxxxxxx] On Behalf Of Schmidt, Denise
> Sent: Donnerstag, 09. Juli 2009 17:42
> To: dsdp-tm-dev@xxxxxxxxxxx
> Subject: [dsdp-tm-dev] Dstore to use privileged ports for 
> serverPortRange
> 
> We would like the dstore SERVER to listen on the privileged 
> port.  Since
> the daemon runs as root it can already listen on a privileged port.
> 
> We started looking again at calling setuid from within the server
> process as we determined we can permanently drop privileges but now we
> are having issues with calling the .profile and being able to 
> export the
> user's environment.  How does RSE send commands to the remote system?
> Does it open a shell and manipulate standard input and output of the
> shell?  We are working with AIX as the remote system and we 
> are required
> to encrypt our data using SSL.
> 
> As for the suggestions you made, they sound very interesting and I can
> research those as well.  I'm not all that experienced with these
> protocols so if you have some more detail you could give, 
> that would be
> very appreciated.  I'm not quite sure how an external program would
> communicate with the local RSE client along with funneling the data to
> the remote server.
> 
> Thanks!
> 
> Denise Schmidt 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 9 Jul 2009 14:43:41 +0200
> From: "Oberhuber, Martin" <Martin.Oberhuber@xxxxxxxxxxxxx>
> Subject: RE: [dsdp-tm-dev] Dstore to use privileged ports for
> 	serverPortRange
> To: "Target Management developer discussions"
> 	<dsdp-tm-dev@xxxxxxxxxxx>
> Message-ID:
> 	
> <460801A4097E3D4CA04CC64EE64858480A693C86@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
> 
> Do you want the dstore SERVER or the DAEMON to listen on the 
> privileged
> port?
>  
> What if you use an external program to listen on the 
> privileged port and
> relay its communication?
>  
> In the simplest case, you could use netcat (nc), a little bit more
> advanced is socat; or, you 
> have an sshd daemon listen and open ssh tunnels throug it; 
> or, you have
> a SOCKS proxy
> running and relay its ports.
>  
> Cheers,
> --
> Martin Oberhuber, Senior Member of Technical Staff, Wind River
> Target Management Project Lead, DSDP PMC Member
> http://www.eclipse.org/dsdp/tm
>  
>  
> 
> 
> ________________________________
> 
> 	From: dsdp-tm-dev-bounces@xxxxxxxxxxx
> [mailto:dsdp-tm-dev-bounces@xxxxxxxxxxx] On Behalf Of Schmidt, Denise
> 	Sent: Montag, 06. Juli 2009 23:02
> 	To: dsdp-tm-dev@xxxxxxxxxxx
> 	Subject: [dsdp-tm-dev] Dstore to use privileged ports for
> serverPortRange
> 	
> 	
> 
> 	We are interested in modifying Dstore to allow the
> serverPortRange to use privileged ports (<1024).  I had posted a
> newsgroup question about this and now we're looking at how we 
> could make
> changes for this.
> 
> 	
> 
> 	We were first looking at starting the
> org.eclipse.dstore.core.server.Server method as root and then calling
> the native Unix setuid to change the effective user ID to that of the
> client.  But after thinking more about it, there is the 
> possibility that
> the user could execute something that would setuid the process back to
> root and then they would have authority on the remote system 
> they should
> not have.
> 
> 	So now we are looking at possibly splitting the server
> functionality into separate processes, one that runs as root and
> communicates over the network and one that runs as the client user ID
> and does all the "real" work on the remote system.  The 2 processes
> would have to communicate data between them.  I've been 
> looking over the
> Dstore source code to see how easy that separation might be.  
> 
> 	Does this solution sound reasonable?  Is there another, possibly
> better solution we haven't thought of?
> 
> 	Any suggestions or things we should consider while tackling this
> are appreciated.  We'd like to work this out so that we could 
> contribute
> our changes back.
> 
> 	Thanks.
> 
> 	Denise Schmidt
> _______________________________________________
> dsdp-tm-dev mailing list
> dsdp-tm-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/dsdp-tm-dev
>

Follow-Ups:
- RE: [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange
  - From: Schmidt, Denise

References:
- [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange
  - From: Schmidt, Denise

Prev by Date: [dsdp-tm-dev] RE: [dsdp-dev] Disable Host property page for custom IHost
Next by Date: RE: [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange
Previous by thread: [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange
Next by thread: RE: [dsdp-tm-dev] Dstore to use privileged ports for serverPortRange
Index(es):
- Date
- Thread

Breadcrumbs