setcap (trying to use port 443) not appearing to work with Crossbar.io

#1

Hi,

I’ve got a Crossbar.io app that runs fine when listening on a non-privileged port; I’m now trying to get Crossbar.io to listen on the privileged secure HTTP port 443.

All I did was:

  • Change the port in the transports/web/endpoint/port to 443 in config.json.

  • Did a setcap for the crossbar app according to the instructions at:

https://github.com/crossbario/crossbar/wiki/Running-on-privileged-ports

I’m running under CPython, so no PyPy (at least for now). Here’s the output, running simply under my non-privileged user on debian:

$ which crossbar

/usr/local/bin/crossbar

$ getcap which crossbar

/usr/local/bin/crossbar = cap_net_bind_service+ep

$ crossbar start

2014-12-17 11:28:16-0500 [Controller 7282] Log opened.

2014-12-17 11:28:16-0500 [Controller 7282] ============================== Crossbar.io ==============================

2014-12-17 11:28:16-0500 [Controller 7282] Crossbar.io 0.9.12 starting

2014-12-17 11:28:16-0500 [Controller 7282] Running on CPython using EPollReactor reactor

2014-12-17 11:28:16-0500 [Controller 7282] Starting from node directory xxx/.crossbar

2014-12-17 11:28:16-0500 [Controller 7282] Starting from local configuration ‘xxx/.crossbar/config.json’

2014-12-17 11:28:16-0500 [Controller 7282] Warning, could not set process title (setproctitle not installed)

2014-12-17 11:28:16-0500 [Controller 7282] Warning: process utilities not available

2014-12-17 11:28:16-0500 [Controller 7282] No WAMPlets detected in enviroment.

2014-12-17 11:28:16-0500 [Controller 7282] Starting Router with ID ‘worker1’ …

2014-12-17 11:28:16-0500 [Controller 7282] Entering reactor event loop …

2014-12-17 11:28:17-0500 [Router 7285] Log opened.

2014-12-17 11:28:17-0500 [Router 7285] Warning: could not set worker process title (setproctitle not installed)

2014-12-17 11:28:17-0500 [Router 7285] Running under CPython using EPollReactor reactor

2014-12-17 11:28:17-0500 [Router 7285] Entering event loop …

2014-12-17 11:28:17-0500 [Router 7285] Warning: process utilities not available

2014-12-17 11:28:17-0500 [Controller 7282] Router with ID ‘worker1’ and PID 7285 started

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: PYTHONPATH extended

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: realm ‘realm1’ started

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: role ‘role1’ started on realm ‘realm1’

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: role ‘role2’ started on realm ‘realm1’

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: role ‘role3’ started on realm ‘realm1’

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: role ‘role4’ started on realm ‘realm1’

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: component ‘component1’ started

2014-12-17 11:28:17-0500 [Controller 7282] Router ‘worker1’: component ‘component2’ started

2014-12-17 11:28:17-0500 [Router 7285] enabling WebSocket compression (permessage-deflate)

2014-12-17 11:28:17-0500 [Router 7285] Using default cipher list.

2014-12-17 11:28:17-0500 [Router 7285] Ok, OpenSSL Diffie-Hellman ciphers parameter file loaded.

2014-12-17 11:28:17-0500 [Router 7285] Warning: OpenSSL failed to set ECDH default curve [‘module’ object has no attribute ‘get_elliptic_curve’]

2014-12-17 11:28:17-0500 [Router 7285] ERROR: cannot listen on transport endpoint (Couldn’t listen on any:443: [Errno 13] Permission denied.)

2014-12-17 11:28:17-0500 [Controller 7282] Traceback (most recent call last):

2014-12-17 11:28:17-0500 [Controller 7282] File “/usr/local/lib/python2.7/dist-packages/crossbar/controller/node.py”, line 190, in run_node_config

2014-12-17 11:28:17-0500 [Controller 7282] yield self._run_node_config(config)

2014-12-17 11:28:17-0500 [Controller 7282] ApplicationError: ApplicationError(‘crossbar.error.cannot_listen’, args = (u"ERROR: cannot listen on transport endpoint (Couldn’t listen on any:443: [Errno 13] Permission denied.)",), kwargs = {})

2014-12-17 11:28:17-0500 [Controller 7282] Main loop terminated.

I’ve seen other recommendations to do port forwarding, which I may do if I can’t get this to work. Any ideas?

Thanks for any help!

Dave

0 Likes

#2

Did you set the caps on both the "crossbar" _and_ Python executables?

···

Am 17.12.2014 17:36, schrieb Dave Barndt:

Hi,

I've got a Crossbar.io app that runs fine when listening on a
non-privileged port; I'm now trying to get Crossbar.io to listen on the
privileged secure HTTP port 443.

All I did was:
- Change the port in the transports/web/endpoint/port to 443 in config.json.
- Did a setcap for the crossbar app according to the instructions at:
https://github.com/crossbario/crossbar/wiki/Running-on-privileged-ports

I'm running under CPython, so no PyPy (at least for now). Here's the
output, running simply under my non-privileged user on debian:

$ which crossbar
/usr/local/bin/crossbar
$ getcap `which crossbar`
/usr/local/bin/crossbar = cap_net_bind_service+ep
$ crossbar start

0 Likes

#3

Ah, there was the confusion. The example on the site mentioned PyPy and so I had thought there was something unique to PyPy (as opposed to CPython) so I thought only PyPy needed to be setcap’d as well. My bad!

So, thanks, that got me past the port issue… unfortunately now I’ve discovered I can’t alter the PYTHONPATH or LD_LIBRARY_PATH env variables in the shell script in which the setcap’d Crossbar/Python executable runs.

http://stackoverflow.com/questions/9843178/linux-capabilities-setcap-seems-to-disable-ld-library-path

(This is only for running non-production, since for production all shared objects will be in /usr/local -type areas.)

Nevertheless, I’m seriously considering the alternative approach of port forwarding 443 to a non-priv port - seems like less hassle and less playing with system privs, since this is the only app wanting to run on secure HTTP/WS port 443. Although I’m all ears if anyone knows any pitfalls to this approach…

Thanks,

Dave

···

On Wednesday, December 17, 2014 12:21:48 PM UTC-5, Tobias Oberstein wrote:

Am 17.12.2014 17:36, schrieb Dave Barndt:

Hi,

I’ve got a Crossbar.io app that runs fine when listening on a

non-privileged port; I’m now trying to get Crossbar.io to listen on the

privileged secure HTTP port 443.

All I did was:

  • Change the port in the transports/web/endpoint/port to 443 in config.json.
  • Did a setcap for the crossbar app according to the instructions at:

https://github.com/crossbario/crossbar/wiki/Running-on-privileged-ports

I’m running under CPython, so no PyPy (at least for now). Here’s the

output, running simply under my non-privileged user on debian:

$ which crossbar

/usr/local/bin/crossbar

$ getcap which crossbar

/usr/local/bin/crossbar = cap_net_bind_service+ep

$ crossbar start

Did you set the caps on both the “crossbar” and Python executables?

0 Likes

#4

Ah, there was the confusion. The example on the site mentioned PyPy and
so I had thought there was something unique to PyPy (as opposed to
CPython) so I thought only PyPy needed to be setcap'd as well. My bad!

So, thanks, that got me past the port issue... unfortunately now I've
discovered I can't alter the PYTHONPATH or LD_LIBRARY_PATH env variables
in the shell script in which the setcap'd Crossbar/Python executable runs.

http://stackoverflow.com/questions/9843178/linux-capabilities-setcap-seems-to-disable-ld-library-path

Yes, this is braindead, but Linux specific. There are other ways to approach the issue (port <1024 daemons) on Linux ..

(This is only for running non-production, since for production all
shared objects will be in /usr/local -type areas.)

Nevertheless, I'm seriously considering the alternative approach of port
forwarding 443 to a non-priv port - seems like less hassle and less
playing with system privs, since this is the only app wanting to run on
secure HTTP/WS port 443. Although I'm all ears if anyone knows any
pitfalls to this approach...

Putting a WebSocket/HTTP proxy in front to terminate TLS and/or serve static Web content is a valid option. Use a capable one, like Nginx (not Apache or crap).

/Tobias

···

Am 17.12.2014 20:50, schrieb Dave Barndt:

Thanks,
Dave

On Wednesday, December 17, 2014 12:21:48 PM UTC-5, Tobias Oberstein wrote:

    Am 17.12.2014 17:36, schrieb Dave Barndt:
     > Hi,
     >
     > I've got a Crossbar.io app that runs fine when listening on a
     > non-privileged port; I'm now trying to get Crossbar.io to listen
    on the
     > privileged secure HTTP port 443.
     >
     > All I did was:
     > - Change the port in the transports/web/endpoint/port to 443 in
    config.json.
     > - Did a setcap for the crossbar app according to the instructions
    at:
     >
    https://github.com/crossbario/crossbar/wiki/Running-on-privileged-ports
    <https://github.com/crossbario/crossbar/wiki/Running-on-privileged-ports>

     >
     > I'm running under CPython, so no PyPy (at least for now). Here's
    the
     > output, running simply under my non-privileged user on debian:
     >
     > $ which crossbar
     > /usr/local/bin/crossbar
     > $ getcap `which crossbar`
     > /usr/local/bin/crossbar = cap_net_bind_service+ep
     > $ crossbar start

    Did you set the caps on both the "crossbar" _and_ Python executables?

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/3b477056-93a9-4c34-8dff-feee4e5283dc%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/3b477056-93a9-4c34-8dff-feee4e5283dc%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#5

Hi Tobias,

Just FYI - I wound up using the Linux socat utility to forward port 443 traffic to port 8443. Worked the very first time!

socat tcp-listen:443,fork,reuseaddr tcp:localhost:8443

Dave

0 Likes