Isn't there simple utils in unixes, which can simply redirect one port
to another?
You binding your app to port which doesn't requires root priviliges,
but it works as 80 port.
In particular, i don't see how apache is more secure than squeam vm.
Security more depends on what you running as front end (framework in
smalltalk , module in apache) not the basement.

2008/11/23 Gerardo Richarte <gera at corest.com>:
>
>>>
>>> How do you bind port 80?
>>
>> Running as a root. Danger for hackers to break into? Well, in
>> Smalltalk hardly :)
>
> I think security should be taken seriously, and better early that
> latter... here my two cents to the problem, not that I think this is a
> real solution, but it'll calm down those who care about running squeak
> as root (IMHO, once you got non-root access to a system, it's just a
> matter of time until you escalate to root, and again IMHO, Squeak and
> its applicacionts, present a big risk, if only, at least, because it has
> never been developed with security in mind).
>
>    On windows, you don't need administrative privs to bind to port 80,
> at least until a few versions ago (not sure in Vista). So, no need to
> run as 'root' on windows.
>
>    On Unix, you only need root privs to bind to port 80, so, of course,
> two options come to mind:
>
>    Use an external program to bind to port 80, and pass the connectio
> to Squeak (for example, Apach/lighttpd, maybe with fastCgi, what I find
> a VERY interesting option). Or some other small standalone program, that
> the executes Squeak passing the bound socket to the child squeavm
> process, where Squeak takes it from and uses it). This external program
> should drop privs before calling squeak.
>
>    Another, probably more integrated idea, whould be to drop privs from
> squeak after binding to port 80... and probably chrooting to another
> place. How? Here I'm attached a quick (5 minutes) interface to libc
> that'll let you do it. I tested it on Linux, and had to play tricks with
> libc.so so squeak finds it (I symlinked libs.so.6 (actually libc-2.7.so)
> to /usr/lib/squeak/3.9-8/libc.so [sudo ln -s /lib/libc-2.7.so
> /usr/lib/squeak/3.9-8/libc.so]).
>
>    Then, after importing the attached class, you can start playing with
> things like:
>
> libc := Libc new.
> libc chroot: '/tmp' " disable changes file logging before doing it "
> libc setruid: 1000 euid: 1000 suid: 1000.
> self setrgid: 1000 egid: 1000 sgid: 1000.
>
> with that, you are clear on this front. Again, I don't think this is the
> solution,
> the 'evaluate:' example Klaus sent earlier is for me the most clear danger,
> more than binary bugs in external libraries (although those are also
> problems)
>
>    anyway, adding 2 cents to the pot
>    richie
>
>
>
>



-- 
Best regards,
Igor Stasenko AKA sig.