RE: Running Tomcat as non-root user
Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root user
Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Running Tomcat as non-root user
You may be able to write yourself some native code to do the switcheroo for you. Then use the java calls to the native call. The code to do the user switch is readily available (though I have not searched for it now, I have seen it before, and it is also available from apache subject to the ASL) This, of course, makes you relatively platform specific. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Lane Sent: Tuesday, January 16, 2001 12:29 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as non-root user Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Running Tomcat as non-root user
You could use EJB's or a mobile agent framework? -Original Message- From: CPC Livelink Admin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 5:35 PM To: [EMAIL PROTECTED] Subject: RE: Running Tomcat as non-root user You may be able to write yourself some native code to do the switcheroo for you. Then use the java calls to the native call. The code to do the user switch is readily available (though I have not searched for it now, I have seen it before, and it is also available from apache subject to the ASL) This, of course, makes you relatively platform specific. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Lane Sent: Tuesday, January 16, 2001 12:29 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as non-root user Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root user
You could use apache or squid as a reverse proxy (web accelerator) to accept connections on port 80 then redirect to another port 1024 via the proxy. Bap. You could use EJB's or a mobile agent framework? -Original Message- From: CPC Livelink Admin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 5:35 PM To: [EMAIL PROTECTED] Subject: RE: Running Tomcat as non-root user You may be able to write yourself some native code to do the switcheroo for you. Then use the java calls to the native call. The code to do the user switch is readily available (though I have not searched for it now, I have seen it before, and it is also available from apache subject to the ASL) This, of course, makes you relatively platform specific. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Lane Sent: Tuesday, January 16, 2001 12:29 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as non-root user Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]