Kitching - Thanks for the response. I was afraid of that.
'ifconfig' is the utility that lets you see information about the
network interfaces, not a firewall. :) Do you run multiple machines with
a firewall in front of them to do the redirection (w/ load balancing for
example) or do you run the firewall on each machine individually?
I asked our operations people about the same thing being done in our
load balancer (F5/BigIP) - but apparently it can't be done there.
Setting up a redirect on each machine could be a pain - not that I'd
have to do it. :)
Thanks again.
Kitching Simon wrote:
>
> Hi Geoff,
>
> As far as I know (and I did a fair bit of research on this
> topic), there is no way for any java app to start as one
> user, then switch to running as another user.
>
> What I do is run tomcat on port 8080 as non-root, and
> use a firewall product to redirect port 80 -> 8080. This
> works fine.
>
> I can't give you great details, as the firewall stuff was
> set up by a sysadmin (which I am not), but we use
> Solaris and I think the firewall is "ifconfig". I guess
> that linux' ipchains or ipfilter or whatever can do the
> same job.
>
> Regards,
>
> Simon
> > -----Original Message-----
> > From: Geoff Lane [SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, January 15, 2001 11:46 PM
> > To: [EMAIL PROTECTED]
> > Subject: Running Tomcat as non-root user
> >
> > In the Tomcat UG under the heading 'Modify and Customize the Batch
> > Files' it says one of the reasons to do so (modify start up scripts)
> > would be: "To switch user from root to some other user using the "su"
> > UNIX command."
> >
> > This is an excellent idea from a security standpoint. But to bind to
> > port 80 (instead of the default high port 8080) root is needed. How many
> > applications do this (Apache for example) is to initially run as root,
> > bind to port 80, and then drop root privileges. Is something like this
> > possible with Tomcat running standalone? Running concurrently with
> > Apache would accomplish this because the AJP connection could be run as
> > any user since it's on a high port.
> >
> > Thanks.
> >
--
Geoff Lane <[EMAIL PROTECTED]>
(650) 969-5000 x104
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
