next up previous contents
Next: Changing Database File Permissions Up: Security Considerations Previous: Changing the Admin Password   Contents

Unix setuid Operation

224

Unix systems (Solaris and Linux) only allow the root user to bind to the standard NNTP port (119). CoffeeLink News Server automatically uses an alternate port, 1199, if it fails to bind to port 119. In many cases this is an acceptable alternative. But for many environments, operation on port 119 is required for compatibility with news clients or operation through firewalls. If you want the CLNews server to use port 119 you can either:

  • run the server as root, or

  • start the server as root and configure it to change it's user id immediately after start-up.

Running the server as root is the simplest option since it doesn't require any changes to the CLNews configuration. CLNews is written in Java, so the most common attacks designed by crackers to gain root access should have no effect on CLNews. But there is always a chance that any program running as root could be compromised by a sufficiently skilled cracker. For example, a particular version of the Java virtual machine might have an obscure bug that could be exploited. BCC makes no guarantee that CLNews is invulnerable to cracker attacks. To allow a higher degree of safety, CLNews is shipped with a small native library that allows a Java program to call the Unix system's setuid() function. Unlike a Java program, the native library is platform specific. CLNews includes precompiled versions of the library for the supported Unix platforms. Source code is also provided, but BCC does not provide support for individuals attempting to port the library to other platforms. To enable setuid operation, perform the following steps:

  1. Log in as root on the Unix system on which CLNews will run.

  2. cd to a directory in root's LOAD_LIBRARY_PATH environment variable. Typically this would include /lib or /usr/lib by default.

  3. Create a symbolic link from the platform specific native library in the CoffeeLinkNews/lib directory to the name ``libbccj.so'' in the current directory. For example, if you are using Solaris SPARC and have CLNews installed in the directory /usr/local/CoffeeLinkNews, the proper command to create the symbolic link would be:

    ln -s /usr/local/CoffeeLinkNews/lib/libbccj-solaris-sparc.so libbccj.so
    

  4. Change the owner and group of the installation directory to the user and group ID's that the server will run under. For example, if you chose the user and group ids nobody, and have CLNews installed in the directory /usr/local/CoffeeLinkNews, the proper commands to use would be:

    chown -R nobody /usr/local/CoffeeLinkNews
    chgrp -R nobody /usr/local/CoffeeLinkNews
    chmod 700 /usr/local/CoffeeLinkNews/database
    chmod 600 /usr/local/CoffeeLinkNews/database/*
    

  5. Run the Configure program and select the Unix Only option in the tree pane.

  6. Click the Change Identity On Startup check box in the properties pane.

  7. Enter the Unix user and group IDs that you want the server to run under. These must be valid Unix user and group ID's or else the server will not start properly. The specified user must have write permission to the CLNews installation directory and all of its subdirectories. (See Changing Database File Permissions for more information.)

  8. Click the Apply button to save the changes.

  9. Choose Shutdown from the Server menu to stop the server.

  10. Restart the server as root.


next up previous contents
Next: Changing Database File Permissions Up: Security Considerations Previous: Changing the Admin Password   Contents
Copyright © 2000 by Burton Computer Corporation, All Rights Reserved