running red5 on port 80

shouldbeq931 asked:

I have a red5 application http://code.google.com/p/openmeetings that runs under red5, and is accessible on port 5080 and 8443

I’ve installed it on Ubuntu 10.04

The eventual aim is to have it accessible via https on 443 instead of 8443, but I thought I would initially try on 80 so that any issues were just down to the port configuration and not SSL certificates.

I’ve tried changing the port from 5080 to 80 in the red5.properties file, but it fails to start.

In the red5.log I have seen

ERROR o.a.coyote.http11.Http11Protocol – Error initializing endpoint java.net.BindException: Permission denied /0.0.0.0:80

In the error.log I have seen

ERROR o.a.coyote.http11.Http11Protocol – Error initializing endpoint
java.net.BindException: Permission denied /0.0.0.0:80

and

ERROR org.red5.server.tomcat.TomcatLoader – Error loading tomcat, unable to bind connector. You may not have permission to use the selected port
org.apache.catalina.LifecycleException: Protocol handler initialization failed: java.net.BindException: Permission denied /0.0.0.0:80

There is nothing else installed or running on port 80, so I presume that this is a “needs to be root” situation. I would rather not run an Internet accessible web service as root.

I know that Tomcat can run on port 80 by changing “#AUTHBIND=no” to “AUTHBIND=yes” in /etc/default/tomcat6 but I have not been able to find anything similar for red5.

Am I on a hiding to nothing, or is there better way than running as root ?

Thanks!

My answer:


As far as I can tell, red5 has no provision for binding a privileged port and then dropping root privileges back to a normal user account, as many other daemons (such as Apache, tomcat, etc.) do.

Therefore, while you can run it as root and bind to port 80, it will remain running as root, and be quite unsafe.

To work around this, use some sort of port forwarding. For instance, xinetd has port forwarding built in, so if you’re already using it for something else, you can set up a simple port forward:

service yourservicename
{
        disable         = no
        type            = UNLISTED
        socket_type     = stream
        protocol        = tcp
        user            = nobody
        wait            = no
        redirect        = 127.0.0.1 5080
        port            = 80
}

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.