A common misfeature found on UN*X operating systems is the restriction that only root can bind to ports below 1024. Many a dollar has been wasted on workarounds and -often- the results are security holes.
Both FreeBSD and Solaris have elegant configuration options to turn this feature off. On FreeBSD:
$ sysctl net.inet.ip.portrange.reservedhigh=0
Similarly on Solaris we can just configure away this misfeature. Assuming we want to run Yaws/SSL under a non-root user "erlang" on ports 80/443.
On Solaris we can do that easily by granting the specific right to bind privileged ports <1024 (and only that) to "erlang" using:
$ /usr/sbin/usermod -K defaultpriv=basic,net_privaddr erlang
And check the we get what we want through:
$ grep erlang /etc/user_attr erlang::::type=normal;defaultpriv=basic,net_privaddr
Linux doesn't have anything like the above. There are a couple of options on Linux. The best is to use an auxiliary program like authbind http://packages.debian.org/stable/authbind or privbind http://sourceforge.net/projects/privbind/
These programs are run by root. Yaws writes its temporary JIT compiled files in $HOME/.yaws and this doesn't work that well with authbind/privbind. A non root user will try to write in /root/.yaws. The solution to this is to set the environment variable YAWSHOME. Yaws will then consider that to be HOME rather that $HOME.
To start yaws under e.g authbind we can do:
$ sudo YAWSHOME=/tmp/abc privbind -u klacke /home/klacke/bin/yaws \
-c /home/klacke/yaws.conf -i
The above command starts yaws as user klacke and bind to ports below 1024
Yet another option is to is to install fdsrv which is a standalone program that has the suid bit set, binds privileged ports and passes the filedescriptor to yaws. I have made a package out of the jungerl code that can be easily installed just through the usual cycle of make && make install The code is at
http://yaws.hyber.org/download/fd_server-2.3.0.tgz
One major drawback with fdsrv is that it doesn't work for SSL. With the case of SSL, one possible solution is to put ssltunnel in front of yaws and let yaws bind to 127.0.0.1
All in all the fdsrv option is much worse that the authbind option.
Yet another (more complicated way) for linux users is to hack the kernel. Here is a patch I did for some version of the 2.6 series kernels .. you get the idea.
[root@lax]ipv4 > diff -c af_inet.c*
*** af_inet.c Wed Feb 23 23:31:35 2005
--- af_inet.c~ Thu Feb 17 18:13:13 2005
***************
*** 423,434 ****
snum = ntohs(addr->sin_port);
err = -EACCES;
- #if 0
- /* removed by klacke */
if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
goto out;
- #endif
-
/* We keep a pair of addresses. rcv_saddr is the one
* used by hash lookups, and saddr is used for transmit.
--- 423,430 ----
