Thank you for your comment. However, I think you gave a good practical work around for now, when the kernel is not there yet. But that also means many developers still have to search for a solution. I think kernel developers should think about this issues, and also similar issues, and come up with a good one. I don't think anyone need to hack into it if they are not expert in the kernel yet. For now, I think using redirect and taken your advice is a right thing to do. I only want to say that the problem is in the kernel team, and they should fix that in the future. Note that I haven't develop any kernel. My suggestion is not the best, but hey, that means there's a better one out there, and I hope it'll make into the next release (too bad, 2.6 feature already is frozen :-).
On Fri, 6 Dec 2002, Turner, John wrote: > > There is already a process and there are several tools for delegating > superuser access to a non-superuser account in specific circumstances, and > protecting against misuse of same. Research things like the sudo tool, > chroot jails, etc. Makes much more sense to me than hacking around in the > kernel. > > John > > > -----Original Message----- > > From: Vy Ho [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 06, 2002 11:12 AM > > To: Tomcat Users List > > Subject: RE: Why run tomcat as root > > > > > > > > > > Very good point, but what if the administrator him/herself grand this > > access to this particular user? Linux and Unix is all about > > flexibility > > right? Yes, kernel would be to be changed. But I thought I > > already have > > that, and if it's not, then it's worth a change, versus thousands and > > thousands of developers has to work around it (take it millions). > > > > > > > > On Thu, 5 Dec 2002, Turner, John wrote: > > > > > > > > Switching UNIX/Linux to allow non-privileged users to bind > > to privileged > > > ports would require fairly major modifications to the > > kernel. There's no > > > runtime parameter that can be set to magically allow > > regular user accounts > > > to bind to a privileged port. > > > > > > Let's remember that the privileged port restriction is > > there for a reason, a > > > very valid reason. Would you really want just any user on > > your server to be > > > able to install a homegrown listener on port 80? I sure > > wouldn't...the > > > potential for malicious use is huge. Imagine somebody > > getting a regular > > > user account on one of Amazon.com's web servers in their > > web server farm, > > > then installing a "web server" on port 80 (or 443) that > > would simply look > > > for traffic starting with "3", "4" or "5" (first digits for > > valid credit > > > cards) and copy the traffic to an external location. > > > > > > Sometimes it helps to consider the bigger picture. The > > people who wrote > > > UNIX weren't stupid. They did things for a reason. > > Sometimes the reason > > > seems silly, sometimes it seems outdated, but after review, > > it usually makes > > > perfect sense. Linus and the rest of the Linux hackers > > could have easily > > > changed this when they wrote the first Linux kernel, but > > they didn't. So, > > > you've got two LARGE groups of people over a combined span > > of about 45 years > > > (30+ for UNIX, 10 or so for Linux) choosing to make ports > > less than 1024 > > > privileged. That's good enough for me...I'll devote my > > efforts to something > > > else rather than trying to circumvent something that's so > > obviously there > > > for good reason. > > > > > > John > > > > > > > -----Original Message----- > > > > From: Vy Ho [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, December 05, 2002 3:48 PM > > > > To: Tomcat Users List > > > > Subject: RE: Why run tomcat as root > > > > > > > > > > > > > > > > Can unix admin configure his OS to let normal app to run port > > > > 80? I say > > > > this because Unix is very configurable. Why you have to do > > > > so much coding > > > > just to access port 80, why not just look at it a different way? > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > For additional commands, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > -- > > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>