MINA and prebinding of privileged ports

[David Connelly <da...@zimbra.com>]

Hi,

I am working on adding MINA/NIO support to Zimbra's mail server and so far
the only problem I've encountered is the lack of support in MINA for
prebinding of privileged ports. In this case, the server binds the server
socket while running as "root" then calls native code to setuid to a less
privileged user before listening on the server socket. Unfortunately, the
SocketAcceptor bind() method not only binds the server socket but starts
listening on the server channel immediately as well, which prevents
prebinding of the ports.

Our temporary workaround has been to add a new 'register' method to
SocketAcceptor so our application can create and bind the
ServerSocketChannel as root, setuid to the zimbra user, then call 'register'
to allow MINA to start listening on the server socket.

Any chance something like this or similar could be added to the MINA core in
1.1.x? This would be a big help for us so we don't have to indefinitely
maintain our own patched version of SocketAcceptor.

Thanks,
David

Re: MINA and prebinding of privileged ports

[peter royal <pr...@apache.org>]

On Feb 26, 2008, at 6:27 AM, 이희승 (Trustin Lee) wrote:
> It breaks the abstraction of the API IMO, because we don't assume that
> we always use ServerSocketChannel.  We could add such a method to
> NioSocketAcceptor only, but this will give compilation errors to users
> when they switch to other transports.

certainly, its a NioSocketAcceptor thing only.

-pete


-- 
proyal@apache.org - http://fotap.org/~osi

Re: MINA and prebinding of privileged ports

["이희승 (Trustin Lee)" <tr...@gmail.com>]

2008-02-25 (월), 07:52 -0800, peter royal 쓰시길:
> On Feb 24, 2008, at 6:56 PM, David Connelly wrote:
> > Unfortunately, the SocketAcceptor bind() method not only binds the  
> > server socket but starts
> > listening on the server channel immediately as well, which prevents  
> > prebinding of the ports.
> >
> > Our temporary workaround has been to add a new 'register' method to
> > SocketAcceptor so our application can create and bind the
> > ServerSocketChannel as root, setuid to the zimbra user, then call  
> > 'register'
> > to allow MINA to start listening on the server socket.
> 
> How about just a variant on bind() that takes a ServerSocket(Channel)  
> rather than an IP/port combination?

It breaks the abstraction of the API IMO, because we don't assume that
we always use ServerSocketChannel.  We could add such a method to
NioSocketAcceptor only, but this will give compilation errors to users
when they switch to other transports.

-- 
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/

Re: MINA and prebinding of privileged ports

[peter royal <pr...@apache.org>]

On Feb 24, 2008, at 6:56 PM, David Connelly wrote:
> Unfortunately, the SocketAcceptor bind() method not only binds the  
> server socket but starts
> listening on the server channel immediately as well, which prevents  
> prebinding of the ports.
>
> Our temporary workaround has been to add a new 'register' method to
> SocketAcceptor so our application can create and bind the
> ServerSocketChannel as root, setuid to the zimbra user, then call  
> 'register'
> to allow MINA to start listening on the server socket.

How about just a variant on bind() that takes a ServerSocket(Channel)  
rather than an IP/port combination?

> Any chance something like this or similar could be added to the MINA  
> core in
> 1.1.x? This would be a big help for us so we don't have to  
> indefinitely
> maintain our own patched version of SocketAcceptor.

As Trustin said, we can put it into the core for 2.x, but 1.1.x is  
just in maintenance mode until we can get 2.0 out. (realizing the pain  
it causes to continue to have delays). But do post a patch!

-pete

-- 
(peter.royal|osi)@pobox.com - http://fotap.org/~osi

Re: MINA and prebinding of privileged ports

["이희승 (Trustin Lee)" <tr...@gmail.com>]

Hi David,

Unfortunately, we decided not to add any new features to 1.x.  Any new
features will go to the follwing milestones of 2.0.0.

IIUC, your request is that MINA should provide a hook so you can do
something before listening to the channel, right?  It shouldn't be that
difficult to add such a hook because we already have an
IoServiceListener interface.  We could add another handler method there.
Does it sound good?  If you have some time, you could file a JIRA issue
regarding your request so we can keep track on it.

Thanks,

2008-02-24 (일), 18:56 -0800, David Connelly 쓰시길:
> Hi,
> 
> I am working on adding MINA/NIO support to Zimbra's mail server and so far
> the only problem I've encountered is the lack of support in MINA for
> prebinding of privileged ports. In this case, the server binds the server
> socket while running as "root" then calls native code to setuid to a less
> privileged user before listening on the server socket. Unfortunately, the
> SocketAcceptor bind() method not only binds the server socket but starts
> listening on the server channel immediately as well, which prevents
> prebinding of the ports.
> 
> Our temporary workaround has been to add a new 'register' method to
> SocketAcceptor so our application can create and bind the
> ServerSocketChannel as root, setuid to the zimbra user, then call 'register'
> to allow MINA to start listening on the server socket.
> 
> Any chance something like this or similar could be added to the MINA core in
> 1.1.x? This would be a big help for us so we don't have to indefinitely
> maintain our own patched version of SocketAcceptor.
> 
> Thanks,
> David
> 
> 
> 
> 
-- 
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/