Scott,
There is some JNI code to do this on OrionSupport - should be up soon.
Mike
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M.
> Stirling
> Sent: Monday, January 08, 2001 11:44 AM
> To: Orion-Interest
> Subject: RE: orion on unix
>
>
> I was going to suggest something similar, which is to start up Orion as
> root and then have the process change UID to a non-root user, just like
> Apache. But starting the process as root is precisely the thing the
> user was trying to avoid.
>
> Throwing Apache in the front end is bound to decrease performance,
> versus using Orion's HTTP server. It's certainly the easiest (and a
> good portable one -- better than ipchains) solution, but I didn't
> mention because it defeats the purpose of using Orion as the web server
> for performance.
>
> The security problems with running an app server as root can be dealt
> with by using Java policy files. I've written them for JRun in the
> past, to restrict access to just the directories, files and ports
> necessary. But running an app server is a risky proposition anyway.
> Even if it's not running as root it probably has access to all your
> businesses' critical data via database access and Web-based business
> transactions; people's credit card numbers, etc. These are much more
> valuable than the files on your file system.
>
> The real problem expressed by the original email is that regular
> restarts of the server are necessary. All Java app servers suffer from
> this in one place or another. Eventually, they'll all have to be able
> to dynamically reload configuration settings, and any class or
> component. Orion is all ready well on the way toward that goal with
> dynamic reload of ears, EJB jars, servlets, etc.
>
> A related problem is the distinction between development and production
> -- why can't each developer belong to the same group, have them all stop
> and start Orion on a port above 1024 for development purposes, and then
> deal with this port 80 problem when it's time to move production. In
> most organizations I've dealt with, the developers aren't the ones
> stopping and starting the production server anyway.
>
> Scott Stirling
> West Newton, MA
>
> On 07 Jan 2001 13:44:34 -0800, Tony Wilson wrote:
> > The best way to get around this, I think, is to use apache as a
> front end
> > and connect Orion to it.
> > There is excellent documentation on how to do this on
> > www.orionsupport.com... when it comes up. It think it is one of the
> > featured links on the right hand menu.
> >
> > Apache runs anywhere, pretty much.
> >
> > What you do is start up apache as root. Apache grabs whatever lower
> > numbered ports it needs (including 80) and then changes its user to
> > something else (usually 'nobody'). You change the configuration in
> > /etc/httpd/conf/httpd.conf (at least on linux) and then you can
> connect to
> > it using standard procedures supported by both apache and orion.
> >
> > The main benefit of this is that you can run jrun as whomever
> you would like
> > ('orion' is a good username) and you only have to worry about the file
> > permissions from that point on.
> >
> >
> > You DEFINITELY don't want to run orion, or any other Servlet
> Container as
> > root. The main reason is security. One of your developers could very
> > easily write a piece of code that would wipe out the entire
> hard drive, or
> > worse... and if anyone was able to hack in... all they would
> need to do is
> > write up a jsp file, and they have all the access they want.
> >
> > Anyway. The apache thing works for us. We are able to do a
> lot of things
> > with this. One example is Virtual hosting. Each developer is
> able to have
> > their own instance of orion, running on their own virtual IP address, on
> > their own code base and starting and stopping it on their own running as
> > their own user. Apache allows for this.
> >
> > Tony Wilson
>
>
>
