Re: [OT] Running as user tomcat [authbind]
Hi. On 26.02.2018 15:59, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Coty and André, On 2/23/18 6:58 PM, Coty Sutherland wrote: Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :) I've been planning to push a solution for that, just haven't gotten around to it yet. On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat) wrote: On 23.02.2018 23:32, André Warnier (tomcat) wrote: On 23.02.2018 18:52, Peter@Kreuser-Online wrote: Hi Chris, Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris : Hello All, I am trying to run tomcat as a non root user. It will start as the tomcat user but it will not bind to connector 443 unless it starts as root. Does anyone know why? Unix will not let you open ports below 1024 as non-root user! You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat. See also : https://commons.apache.org/proper/commons-daemon/jsvc.html Or if you are running under Linux, check : https://en.wikipedia.org/wiki/Authbind I'm curious ... can authbind be used to *restrict* processes as well as to grant them access? For example, let's say that I want Tomcat to be able to bind to port 8080, it generally will be able to do that unless some other process has bound already. But let's say I specifically DO NOT want Tomcat to be able to bind to port 8443. Can I use authbind to set a blacklist of ports, too? Or, can I blacklist everything and set up a whitelist that contains only port 8080? I don't really know the specifics of authbind, just that recent Debian Linux versions seem to automatically use it to run their pre-packaged Tomcat (I believe that previously, they used jsvc). There is information available here : https://manpages.debian.org/testing/authbind/authbind.1.en.html which seems to indicate that indeed it seems to allow the kind of things which you mention above. Should you not have access to a Linux Debain/Ubuntu system right now, I can also send you a sample /etc/init.d startup script for Tomcat (using authbind) (but presumably directly, as the list does not really like attachments) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Running as user tomcat [authbind]
On Mon, Feb 26, 2018 at 9:59 AM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Coty and André, > > On 2/23/18 6:58 PM, Coty Sutherland wrote: >> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :) >> I've been planning to push a solution for that, just haven't gotten >> around to it yet. >> >> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat) >> wrote: >>> On 23.02.2018 23:32, André Warnier (tomcat) wrote: On 23.02.2018 18:52, Peter@Kreuser-Online wrote: > > Hi Chris, > > > >> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris >> : >> >> Hello All, >> >> I am trying to run tomcat as a non root user. >> >> It will start as the tomcat user but it will not bind to >> connector 443 unless it starts as root. >> >> Does anyone know why? > > > Unix will not let you open ports below 1024 as non-root > user! > > You may use a proxy in front of it or maybe use iptables to > be able to use standard ports AND user tomcat. See also : https://commons.apache.org/proper/commons-daemon/jsvc.html >>> >>> >>> Or if you are running under Linux, check : >>> https://en.wikipedia.org/wiki/Authbind > > I'm curious ... can authbind be used to *restrict* processes as well > as to grant them access? For example, let's say that I want Tomcat to > be able to bind to port 8080, it generally will be able to do that > unless some other process has bound already. But let's say I > specifically DO NOT want Tomcat to be able to bind to port 8443. Can I > use authbind to set a blacklist of ports, too? Or, can I blacklist > everything and set up a whitelist that contains only port 8080? I'm not sure about authbind, but selinux is effectively a whitelist which only includes a handful of ports (in http_port_t)...assuming that it's enabled. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC > 7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn > lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU > KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di > ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9 > cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae > q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8 > FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD > R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw > m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv > 7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz > 2JHYqvyhsydWUPEFcoRO+9I888Q= > =2rU6 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Running as user tomcat [authbind]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Coty and André, On 2/23/18 6:58 PM, Coty Sutherland wrote: > Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :) > I've been planning to push a solution for that, just haven't gotten > around to it yet. > > On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat) > wrote: >> On 23.02.2018 23:32, André Warnier (tomcat) wrote: >>> >>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote: Hi Chris, > Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris > : > > Hello All, > > I am trying to run tomcat as a non root user. > > It will start as the tomcat user but it will not bind to > connector 443 unless it starts as root. > > Does anyone know why? Unix will not let you open ports below 1024 as non-root user! You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat. >>> >>> >>> See also : >>> https://commons.apache.org/proper/commons-daemon/jsvc.html >> >> >> Or if you are running under Linux, check : >> https://en.wikipedia.org/wiki/Authbind I'm curious ... can authbind be used to *restrict* processes as well as to grant them access? For example, let's say that I want Tomcat to be able to bind to port 8080, it generally will be able to do that unless some other process has bound already. But let's say I specifically DO NOT want Tomcat to be able to bind to port 8443. Can I use authbind to set a blacklist of ports, too? Or, can I blacklist everything and set up a whitelist that contains only port 8080? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC 7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9 cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8 FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv 7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz 2JHYqvyhsydWUPEFcoRO+9I888Q= =2rU6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running as user tomcat
Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :) I've been planning to push a solution for that, just haven't gotten around to it yet. On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat) wrote: > On 23.02.2018 23:32, André Warnier (tomcat) wrote: >> >> On 23.02.2018 18:52, Peter@Kreuser-Online wrote: >>> >>> Hi Chris, >>> >>> >>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris : Hello All, I am trying to run tomcat as a non root user. It will start as the tomcat user but it will not bind to connector 443 unless it starts as root. Does anyone know why? >>> >>> >>> Unix will not let you open ports below 1024 as non-root user! >>> >>> You may use a proxy in front of it or maybe use iptables to be able to >>> use standard >>> ports AND user tomcat. >> >> >> See also : https://commons.apache.org/proper/commons-daemon/jsvc.html > > > Or if you are running under Linux, check : > https://en.wikipedia.org/wiki/Authbind > > > >> >>> 23-Feb-2018 09:14:59.140 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]] I’m using java 9.0.4 and Tomcat 8.5.28 === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 >>> >>> >>> Best regards >>> >>> Peter >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running as user tomcat
On 23.02.2018 23:32, André Warnier (tomcat) wrote: On 23.02.2018 18:52, Peter@Kreuser-Online wrote: Hi Chris, Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris : Hello All, I am trying to run tomcat as a non root user. It will start as the tomcat user but it will not bind to connector 443 unless it starts as root. Does anyone know why? Unix will not let you open ports below 1024 as non-root user! You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat. See also : https://commons.apache.org/proper/commons-daemon/jsvc.html Or if you are running under Linux, check : https://en.wikipedia.org/wiki/Authbind 23-Feb-2018 09:14:59.140 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]] I’m using java 9.0.4 and Tomcat 8.5.28 === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 Best regards Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running as user tomcat
On 23.02.2018 18:52, Peter@Kreuser-Online wrote: Hi Chris, Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris : Hello All, I am trying to run tomcat as a non root user. It will start as the tomcat user but it will not bind to connector 443 unless it starts as root. Does anyone know why? Unix will not let you open ports below 1024 as non-root user! You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat. See also : https://commons.apache.org/proper/commons-daemon/jsvc.html 23-Feb-2018 09:14:59.140 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]] I’m using java 9.0.4 and Tomcat 8.5.28 === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 Best regards Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Running as user tomcat
YES! Thank you. I forgot about that. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Peter@Kreuser-Online [mailto:l...@kreuser.name] Sent: Friday, February 23, 2018 12:53 PM To: Tomcat Users List Subject: Re: Running as user tomcat Hi Chris, > Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris > : > > Hello All, > > I am trying to run tomcat as a non root user. > > It will start as the tomcat user but it will not bind to connector 443 > unless it starts as root. > > Does anyone know why? Unix will not let you open ports below 1024 as non-root user! You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat. > 23-Feb-2018 09:14:59.140 SEVERE [main] > org.apache.catalina.core.StandardService.initInternal Failed to initialize > connector [Connector[HTTP/1.1-443]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-443]] > > I’m using java 9.0.4 and Tomcat 8.5.28 > > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 Best regards Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Running as user tomcat
> From: Peter@Kreuser-Online [mailto:l...@kreuser.name] > Subject: Re: Running as user tomcat > Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris : > > I am trying to run tomcat as a non root user. > > It will start as the tomcat user but it will not bind to connector 443 unless it starts as root. > Unix will not let you open ports below 1024 as non-root user! > You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat. And definitely read the wiki entry about this, before doing anything else: https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg es.3F - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. smime.p7s Description: S/MIME cryptographic signature
Re: Running as user tomcat
Hi Chris, > Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris > : > > Hello All, > > I am trying to run tomcat as a non root user. > > It will start as the tomcat user but it will not bind to connector 443 unless > it starts as root. > > Does anyone know why? Unix will not let you open ports below 1024 as non-root user! You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat. > 23-Feb-2018 09:14:59.140 SEVERE [main] > org.apache.catalina.core.StandardService.initInternal Failed to initialize > connector [Connector[HTTP/1.1-443]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-443]] > > I’m using java 9.0.4 and Tomcat 8.5.28 > > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 Best regards Peter
Running as user tomcat
Hello All, I am trying to run tomcat as a non root user. It will start as the tomcat user but it will not bind to connector 443 unless it starts as root. Does anyone know why? 23-Feb-2018 09:14:59.140 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]] I'm using java 9.0.4 and Tomcat 8.5.28 === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571
