RE: Starting and stopping Tomcat as non-root
Try redirecting port 80 to Tomcat's defaults: http://jetty.mortbay.org/jetty/doc/User80.html -Mensaje original- De: Joe Tomcat [mailto:[EMAIL PROTECTED]] Enviado el: viernes, 06 de septiembre de 2002 7:39 Para: Tomcat Users List Asunto: Starting and stopping Tomcat as non-root I am running Tomcat on port 80 (not using Apache) on Redhat 7.3. Obviously, Tomcat needs to be root to listen on port 80. Therefore, to start it or stop it, I need to do that as root. The problem is that I want to use ant tasks to start and stop it. I can easily have ant tasks which execute startup.sh and shutdown.sh, but then I have a to run ant, and therefore do all my development, as root, something which I definitely do not want to do. Unfortunately Linux doesn't let me make shell scripts setuid, so how do I do this? I realize that setuid scripts are a security hole, but there are no untrusted users on this machine (I'm the only user) so it doesn't matter. Alternatively, is there a way to make Linux so that it lets any user bind to any port? This must be root to bind to low ports is the most idiotic security measure in all of Unix land and has resulted in more breakins over the years than any other single thing. Can I turn it off? Thanks! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Starting and stopping Tomcat as non-root
Wow. Not to start a debate, but that's the silliest statement I've seen in awhile. If you don't like how it works, change it. You have the source. John -Original Message- From: Joe Tomcat [mailto:[EMAIL PROTECTED]] Sent: Friday, September 06, 2002 1:39 AM To: Tomcat Users List Subject: Starting and stopping Tomcat as non-root Alternatively, is there a way to make Linux so that it lets any user bind to any port? This must be root to bind to low ports is the most idiotic security measure in all of Unix land and has resulted in more breakins over the years than any other single thing. Can I turn it off? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Starting and stopping Tomcat as non-root
Lately, I have been thinking of writing a JNI library to call setuid() and setgid() to change the effective user ID and group ID of the process after it starts. I'm not sure how this would affect the various startup and shutdown scripts, but it would be interesting from a security standpoint. -Original Message- From: Joe Tomcat [mailto:[EMAIL PROTECTED]] Sent: 05 September, 2002 11:39 PM To: Tomcat Users List Subject: Starting and stopping Tomcat as non-root I am running Tomcat on port 80 (not using Apache) on Redhat 7.3. Obviously, Tomcat needs to be root to listen on port 80. Therefore, to start it or stop it, I need to do that as root. The problem is that I want to use ant tasks to start and stop it. I can easily have ant tasks which execute startup.sh and shutdown.sh, but then I have a to run ant, and therefore do all my development, as root, something which I definitely do not want to do. Unfortunately Linux doesn't let me make shell scripts setuid, so how do I do this? I realize that setuid scripts are a security hole, but there are no untrusted users on this machine (I'm the only user) so it doesn't matter. Alternatively, is there a way to make Linux so that it lets any user bind to any port? This must be root to bind to low ports is the most idiotic security measure in all of Unix land and has resulted in more breakins over the years than any other single thing. Can I turn it off? Thanks! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Starting and stopping Tomcat as non-root
How would Not allowing non-root users to bind to Ports 1024 result in breakins? The only way I could see that happening is if a lazy Unix admin just ran everything as root. In that case, you certainly can't blame the OS. - Original Message - From: Turner, John [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 06, 2002 8:50 AM Subject: RE: Starting and stopping Tomcat as non-root Wow. Not to start a debate, but that's the silliest statement I've seen in awhile. If you don't like how it works, change it. You have the source. John -Original Message- From: Joe Tomcat [mailto:[EMAIL PROTECTED]] Sent: Friday, September 06, 2002 1:39 AM To: Tomcat Users List Subject: Starting and stopping Tomcat as non-root Alternatively, is there a way to make Linux so that it lets any user bind to any port? This must be root to bind to low ports is the most idiotic security measure in all of Unix land and has resulted in more breakins over the years than any other single thing. Can I turn it off? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Starting and stopping Tomcat as non-root
I agree, it would be an interesting project. I don't think the startup and shutdown scripts would be affected all that much at all. I'm running all of my Tomcat instances as a non-root user. As long as the directory permissions (work directory, etc) are OK, there shouldn't be any issues running non-root. It certainly would increase the number of people running Tomcat stand-alone, instead of with Apache. My stuff could probably do without Apache, but I won't run anything on port 80 that runs as root. John -Original Message- From: Sexton, George [mailto:[EMAIL PROTECTED]] Sent: Friday, September 06, 2002 9:03 AM To: Tomcat Users List Subject: RE: Starting and stopping Tomcat as non-root Lately, I have been thinking of writing a JNI library to call setuid() and setgid() to change the effective user ID and group ID of the process after it starts. I'm not sure how this would affect the various startup and shutdown scripts, but it would be interesting from a security standpoint. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
re: Starting and stopping Tomcat as non-root
Alternatively, is there a way to make Linux so that it lets any user bind
to any port?
So you don't mind one of your machine's users (or a cracker who has
guessed a bad password) installing their own little fake webserver on port
80 that does {pick your poison}?
The practice of allowing only root to bind below 1024 is a convention, not
a requirement, and although some badly implemented software (eg sendmail)
has resulted in bad things, you can gain a certain amount of trust with
a machine that requires root privileges to run software on certain
ports. Whether or not you actually trust the root user and the machine is
a different story ;)
Like John said, you can change the source or use an OS that doesn't care
what you do below 1024.
Cheers,
Michael
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Starting and stopping Tomcat as non-root
I am running Tomcat on port 80 (not using Apache) on Redhat 7.3. Obviously, Tomcat needs to be root to listen on port 80. Therefore, to start it or stop it, I need to do that as root. The problem is that I want to use ant tasks to start and stop it. I can easily have ant tasks which execute startup.sh and shutdown.sh, but then I have a to run ant, and therefore do all my development, as root, something which I definitely do not want to do. Unfortunately Linux doesn't let me make shell scripts setuid, so how do I do this? I realize that setuid scripts are a security hole, but there are no untrusted users on this machine (I'm the only user) so it doesn't matter. Alternatively, is there a way to make Linux so that it lets any user bind to any port? This must be root to bind to low ports is the most idiotic security measure in all of Unix land and has resulted in more breakins over the years than any other single thing. Can I turn it off? Thanks! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
