Re: How to change effective user id on Windows
勹 发自我的 iPod 在 Jan 7, 2010,22:42,"Looijmans, Mike" 写到: The current configuration is correct in terms of security - the 'SYSTEM' user is a limited account that has no access to the desktop nor shared network resources. Be warned that running a service under other credentials than the system user is likely to lead to a less secure configuration, instead of improving. M. -Original Message- From: Amit Agarwal [mailto:ami@gmail.com] Sent: donderdag 07 januari 2010 15:08 To: users@tomcat.apache.org Subject: How to change effective user id on Windows Tomat on Linux starts as root to bind to port 80, and then switches effective user id to nobody. Windows does not appear to have concept of changing effective user. Tomcat service runs as a local system on Windows. Need to change the user for Tomcat after binding to port 80. How can this be achieved? -- Sent from Karnataka, India This message and attachment(s) are intended solely for use by the addressee and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient or agent thereof responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone and with a 'reply' message. Thank you for your co-operation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to change effective user id on Windows
2010/1/8 Amit Agarwal : > HOw do we start TOmcat programatically using Bootstrap.start() API if we > need to pass the user ? You don't do it that way ;-). By the time you start the Java virtual machine (JVM) that runs Tomcat, that JVM must *already* be running as the user you want to use for Tomcat. If you're running Tomcat as a service, then commons-daemon (procrun, renamed to tomcat6w.exe, as Chuck points out in another thread) does exactly this. It's a C program that wraps up the launch and management of the JVM. It makes sure that the JVM is launched as whatever user is required. If you're starting the JVM yourself, then you must make sure yourself that whatever you use to launch Tomcat runs it as the correct user. This may be as simple as logging in as that user and running a batch file. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to change effective user id on Windows
HOw do we start TOmcat programatically using Bootstrap.start() API if we need to pass the user ? On Thu, Jan 7, 2010 at 8:30 PM, Peter Crowther wrote: > 2010/1/7 Looijmans, Mike : > > The current configuration is correct in terms of security - the 'SYSTEM' > > user is a limited account that has no access to the desktop nor shared > > network resources. > > Sorry to pick you up on this one, Mike, but I think you're thinking of > Local*Service*, not Local*System*. LocalSystem has full > administrative access to the local computer, including (for example) > being able to write a rogue DLL to a spare directory, then amend the > registry so that that DLL is loaded by every process that runs on the > machine from this point onwards. Or create a new local account that > *does* have desktop access and spawn a process running as that user. > If you can compromise LocalSystem, you've got the machine. > > Windows' LocalSystem is very, very close to Unix's root. If you want > a non-privileged account, use LocalService not LocalSystem. See, for > example > http://blogs.msdn.com/jmanning/archive/2008/04/06/localsystem-root-localservice-nobody.aspx > > - Peter > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Sent from Karnataka, India
Re: How to change effective user id on Windows
2010/1/7 Looijmans, Mike : > The current configuration is correct in terms of security - the 'SYSTEM' > user is a limited account that has no access to the desktop nor shared > network resources. Sorry to pick you up on this one, Mike, but I think you're thinking of Local*Service*, not Local*System*. LocalSystem has full administrative access to the local computer, including (for example) being able to write a rogue DLL to a spare directory, then amend the registry so that that DLL is loaded by every process that runs on the machine from this point onwards. Or create a new local account that *does* have desktop access and spawn a process running as that user. If you can compromise LocalSystem, you've got the machine. Windows' LocalSystem is very, very close to Unix's root. If you want a non-privileged account, use LocalService not LocalSystem. See, for example http://blogs.msdn.com/jmanning/archive/2008/04/06/localsystem-root-localservice-nobody.aspx - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to change effective user id on Windows
The current configuration is correct in terms of security - the 'SYSTEM' user is a limited account that has no access to the desktop nor shared network resources. Be warned that running a service under other credentials than the system user is likely to lead to a less secure configuration, instead of improving. M. > -Original Message- > From: Amit Agarwal [mailto:ami@gmail.com] > Sent: donderdag 07 januari 2010 15:08 > To: users@tomcat.apache.org > Subject: How to change effective user id on Windows > > Tomat on Linux starts as root to bind to port 80, and then > switches effective user id to nobody. Windows does not appear > to have concept of changing effective user. Tomcat service > runs as a local system on Windows. Need to change the user > for Tomcat after binding to port 80. > > How can this be achieved? > > -- > > Sent from Karnataka, India > This message and attachment(s) are intended solely for use by the addressee and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient or agent thereof responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone and with a 'reply' message. Thank you for your co-operation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to change effective user id on Windows
Look at http://tomcat.apache.org/tomcat-5.5-doc/windows-service-howto.htmland see the --user parameter under command line parameters. -- D On Thu, Jan 7, 2010 at 2:07 PM, Amit Agarwal wrote: > Tomat on Linux starts as root to bind to > port 80, and then switches effective user id to nobody. Windows does not > appear to have concept of changing effective user. Tomcat service runs > as a local system on Windows. Need to change the user for Tomcat > after binding to port 80. > > How can this be achieved? > > -- > > Sent from Karnataka, India >
Re: How to change effective user id on Windows
2010/1/7 Amit Agarwal : > Tomat on Linux starts as root to bind to > port 80, and then switches effective user id to nobody. Windows does not > appear to have concept of changing effective user. Tomcat service runs > as a local system on Windows. Need to change the user for Tomcat > after binding to port 80. > > How can this be achieved? Just start Tomcat as the non-system user on Windows. Windows does not prevent any process binding to "privileged" ports. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org