Re: Running Tomcat as Non-Root under Linux listen for port 80
NoKideen wrote: is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 Ask your Linux admin to disable the privileged port nonsense, which only has value on a multiaccess server, and which alwasy undermines security by unnecessarily encouraging running server processes as root when they would be safer (e.g. if/when exploits are found) run as non-privileged users Example iptables rules which achieve port redirection: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 222.123.197.100 --dport 80 -j DNAT --to 222.123.197.100:8080 /sbin/iptables -A FORWARD -p tcp -i eth0 -d 222.123.197.100 --dport 8080 -j ACCEPT Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.8/113 - Release Date: 27/Sep/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root under Linux listen for port 80
NoKideen wrote: is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 Google is your friend: http://www.google.com/search?q=linux+port+80+non-root - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Running Tomcat as Non-Root under Linux listen for port 80
is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 I'd try as tomcat , but there is error even if I do # chown -R tomcat:root /usr/tomcat/* - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root under Linux listen for port 80
From: NoKideen [mailto:[EMAIL PROTECTED] Subject: Running Tomcat as Non-Root under Linux listen for port 80 is there anybody know how to do this ? Use the port redirection facilities in Linux (the details vary depending on your kernel, but ipchains or iptables is a good place to start if I recall) to forward all requests that come in on port 80 to port 8080. That way, Linux can run as a non-root user but still see requests arriving on port 80. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root under Linux listen for port 80
From: Peter Crowther That way, Linux can run as a non-root user but still see requests arriving on port 80. Sorry. Brain fade. Replace 'Linux' with 'Tomcat' in the above. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root under Linux listen for port 80
Use jsvc. - Original Message - From: NoKideen [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Tuesday, September 27, 2005 6:13 PM Subject: Running Tomcat as Non-Root under Linux listen for port 80 is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 I'd try as tomcat , but there is error even if I do # chown -R tomcat:root /usr/tomcat/* - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root under Linux listen for port 80
NoKideen said: is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 80 is a privileged port ( 1024) and you need root-rights to bind to a privileged port. If the problem is that you don't have access to root, ask the admin to implement sudo. Joost - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root under Linux listen for port 80
Create a normal user $TOMCAT_USER /bin/su $TOMCAT_USER -- $CATALINA_HOME/bin/startup.sh Owner is root, group is $TOMCAT_USER. -Original Message- From: NoKideen [mailto:[EMAIL PROTECTED] Sent: September 27, 2005 12:14 PM To: tomcat-user@jakarta.apache.org Subject: Running Tomcat as Non-Root under Linux listen for port 80 is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 I'd try as tomcat , but there is error even if I do # chown -R tomcat:root /usr/tomcat/* - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:43396f67114289339113072!
Re: Running Tomcat as Non-Root under Linux listen for port 80
a.k.a. Commons-Daemon (http://jakarta.apache.org/commons/daemon/) Works beautifully. --David Andrés Glez. wrote: Use jsvc. - Original Message - From: NoKideen [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Tuesday, September 27, 2005 6:13 PM Subject: Running Tomcat as Non-Root under Linux listen for port 80 is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 I'd try as tomcat , but there is error even if I do # chown -R tomcat:root /usr/tomcat/* - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root under Linux listen for port 80
On Tue, 27 Sep 2005, Joost de Heer wrote: NoKideen said: is there anybody know how to do this ? Running Tomcat as Non-Root under Linux listen for port 80 80 is a privileged port ( 1024) and you need root-rights to bind to a privileged port. If the problem is that you don't have access to root, ask the admin to implement sudo. Here's a guide on how to set it up. http://www.mythic-beasts.com/support/topic_vds_java.html Pete -- Pete Stevens [EMAIL PROTECTED] http://www.ex-parrot.com/~pete/ They may not have invented corruption in NYC, but they have tried to perfect it. -- seen on the internet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Re[2]: Running Tomcat as Non-Root
No, this shouldn't be a problem if you setup tomcat correctly. http://jakarta.apache.org/tomcat/tomcat-4.1-doc/proxy-howto.html (Note: I havn't tried it on my own) Most documentation that I found about the configuration of tomcat for running as non root on port 1024 are missing this point: http://www-106.ibm.com/developerworks/java/library/l-secjav.htm http://www.klawitter.de/tomcat80.html Here is one in german that includes this topic: http://3plus4software.de/news/20020617.html (Even without understanding german, you should be able to find the relevant information) -Original Message- From: Anton Tagunov [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 7:45 AM To: Tomcat Users List Subject: Re[2]: Running Tomcat as Non-Root Hello Ralph! RE You can run a java service on ports 1024 without being root with RE portmappers, proxies, iptables and several other tools Hmm.., but won't this make the request.getRequestURI() and alike create incorrect URL-s, like http://smth.smth.smth:8080/aaa/b.jsp instead of http://smth.smth.smth:80/aaa/b.jsp or http://smth.smth.smth/aaa/b.jsp This might be a big problem! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[2]: Running Tomcat as Non-Root
Hello Ralph! RE You can run a java service on ports 1024 without being root with RE portmappers, proxies, iptables and several other tools Hmm.., but won't this make the request.getRequestURI() and alike create incorrect URL-s, like http://smth.smth.smth:8080/aaa/b.jsp instead of http://smth.smth.smth:80/aaa/b.jsp or http://smth.smth.smth/aaa/b.jsp This might be a big problem! -Anton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
I don't see any need for this. You can run a java service on ports 1024 without being root with portmappers, proxies, iptables and several other tools, that let sysadmins open well defined holes without compromising the security. In the long term I would like to see ACL's in the os, that define something like 'Allow binary y that is started by user x to bind to port z' -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 11:13 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root It's a java problem as the OSes that block access to 1024 ports give native code api's to open these ports and then loose the root privs. Java should allow those of us who are interested in running java services to have the option to take advantage of this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[2]: Running Tomcat as Non-Root
Hello Gabriel! LG So I'm going to take that as a no. No one has bothered to pester sun LG about this. LG So I realize that its possible that you could only drop privs down to a LG single user in the vm, but gee wouldn't that be hugely better then what LG we have today, where if I want to run 1024 I have to run as superuser? LG Surely you can see the benefit. 1) Looks there might be some sense in such an api. 2) On the other hand we go somewhat OS specific here - only *nix-es, don't we? 3) In fact we do not strictly have to ask Sun for this, we can do it with JNI. Would be interested to see how jakarta-commons-sandbox/daemon do it. 4) I would vote for such feature request at Sun. Go ahead add it! -Anton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Friday 18 July 2003 23:07 schrieb John Turner: Because then ANYONE with a user account could bind a service to those ports. ... unless there are proper access privileges on ports as on files. I consider the start-as-root pattern as a hack (not a bad one though ;-) Mit freundlichem Gruß / With kind regards Holger Klawitter - -- lists at klawitter dot de -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iQIXAwUBPxkeRIeO6/fAymJdFAKSiAgAhvFu2+F01dRiSg1QCaXdVP/Lh+rrbd0h GkEQffvf8mLZEY/2cLwhX0JFRWQJhhXHRSsS7hPj90YHzqUlWEspmwrDFbTYtxX4 fL/c9Cxe/9z+rgng7OxLm3krKX/eeaJeahSDK4ytOAX/CHB1ipB0/RoygUjuSxft +v3ClIUVub/pvAMO1f5l60/VvPwToFyDKlqi2ptyY5A/TeHVqTMHJYSnjGu2tmue IDqOUUnLzUy2EljTqjKxUtdEDPQVNU1BfQFrbBPN0tjui6Hgr6vmrthyPSjxrUR+ cjhrWAEBV4CzTgS6JrsTfTyPWFRezdwWvugzylbT1MT4SRATdn6kiwf8D/lXIrar qWOfs/gRHHPI+Y/JsR4PbdbmUMl+/QBWzHl77pUqA5FMmwX3ibb6VR0wKinbn36W QQYUT8ZglrOXaxIcuF3TbXq6+mqyT2sbxik7DfkuM5i1RC05/1kGNCj8OpEOP8jv xe38M9n/V35qGLc0VM8cSRRCgJ9H1AS69/nnEpEWX5PKO8w7BFhaMMbNeYLm3Cqx 2fx0rD5ht5np8zYIwvWmx+xVVRD4s36BHH+l1mwMKQysyqX3YWxeWykCO8Wvthhe /uNiFPz/vAbCG00H6p6awEfHz1ulKIwpiOtTruMV2J8CG+zGjTFB8ZsqZl096nRK eETT87ov0r6oyg== =MBse -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root
Because then ANYONE with a user account could bind a service to those ports. ... unless there are proper access privileges on ports as on files. I consider the start-as-root pattern as a hack (not a bad one though ;-) I was going to let a sleeping dog lie, but that's exactly what I think. This is not a Java bug. This should be an operating system configuration issue. Lukas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Running Tomcat as Non-Root
Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root
So every Java-based service would need its own JVM instance? Would you want your Java-based MTA on port 25 running as your Tomcat user or vice versa? Isn't that how it would work if you configured the user account in the JVM...all services would run as the same user? Seems like that would end up being pretty messy to manage. John On Fri, 18 Jul 2003 13:24:42 -0700, Lawrence, Gabriel [EMAIL PROTECTED] wrote: Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
To reply to your previous question: yes, running on a unix OS. . .also, running on ports above 1024, but receiving Connection Refused error messages in localhost_log when starting Tomcat as a non-root user. -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:25 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
So I'm going to take that as a no. No one has bothered to pester sun about this. And yes, the way things tend to work today is that people run these things with extra JVMs, although if its running on port 25 they'd all have to be running as root. So I realize that its possible that you could only drop privs down to a single user in the vm, but gee wouldn't that be hugely better then what we have today, where if I want to run 1024 I have to run as superuser? Surely you can see the benefit. -gabe -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:35 PM To: Tomcat Users List Subject: Re: Running Tomcat as Non-Root So every Java-based service would need its own JVM instance? Would you want your Java-based MTA on port 25 running as your Tomcat user or vice versa? Isn't that how it would work if you configured the user account in the JVM...all services would run as the same user? Seems like that would end up being pretty messy to manage. John On Fri, 18 Jul 2003 13:24:42 -0700, Lawrence, Gabriel [EMAIL PROTECTED] wrote: Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed
Re: Running Tomcat as Non-Root
Not for me. I only have one Java service and that's Tomcat. I run Apache on port 80, and everything is just fine, and I don't have to worry (too much) about anything, as Apache's downgrading mechanism is well tested. So, as a sys-admin, there's no benefit to me whatosever, as I will most likely never run anything Java-based as a service when things like procmail, qmail, openLDAP, etc. all exist already and are actively developed. My only need for a Java application is Tomcat, and possibly some EJB container at some point in the future though I highly doubt it. This could easily get into a flame war...my point is, just because you CAN write something in Java doesn't automatically mean you SHOULD, especially from the point of view of someone like me who has many systems to manage and knows full well that there are tools out there that are battle-tested and suit the required purpose just fine without rewriting them in the latest-greatest language. There are thousands of things written in Visual Basic. Most are garbage. But, when Visual Basic 2004 comes out, everyone fights for the chance to rewrite everything in the new language. Most of that is garbage as well. For me to decide that a Java app should replace a tool that already exists (whatever its written in), you'll have to persuade me that it is better in some way than the old tool, and better does not mean written in Java. Thus, the potential number of Java-based services for me is very small, and the ones I need already exist and I am comfortable with how they work. I have many production systems. All of them are firewall-restricted for inbound connections from remote hosts, limited to ports 22, 80, and 443 except for the mail server which allows 25 and 110. Where do I need a JVM that can bind to one of those ports? I don't. OpenSSH is well-tested (22) , Apache rocks on 80 and 443, and qmail/sendmail rock on 25, as does something like qpopper on 110. After that, I'm done, and I would guess that the Sun folks have probably made similar assessments. John On Fri, 18 Jul 2003 13:39:24 -0700, Lawrence, Gabriel [EMAIL PROTECTED] wrote: So I'm going to take that as a no. No one has bothered to pester sun about this. And yes, the way things tend to work today is that people run these things with extra JVMs, although if its running on port 25 they'd all have to be running as root. So I realize that its possible that you could only drop privs down to a single user in the vm, but gee wouldn't that be hugely better then what we have today, where if I want to run 1024 I have to run as superuser? Surely you can see the benefit. -gabe -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:35 PM To: Tomcat Users List Subject: Re: Running Tomcat as Non-Root So every Java-based service would need its own JVM instance? Would you want your Java-based MTA on port 25 running as your Tomcat user or vice versa? Isn't that how it would work if you configured the user account in the JVM...all services would run as the same user? Seems like that would end up being pretty messy to manage. John On Fri, 18 Jul 2003 13:24:42 -0700, Lawrence, Gabriel [EMAIL PROTECTED] wrote: Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL
Re: Running Tomcat as Non-Root
Yes, but is this a Java problem, or is this an OS related problem/feature? IMHO, since UNIX/LINUX is doing the restricting of port traffic, the problem resides with the OS, not with Java. Adding an API to shift the native security model is out of scope. Why don't particular flavors of the OS allow for 1024 to be non-root? Lukas Lawrence, Gabriel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] So I'm going to take that as a no. No one has bothered to pester sun about this. And yes, the way things tend to work today is that people run these things with extra JVMs, although if its running on port 25 they'd all have to be running as root. So I realize that its possible that you could only drop privs down to a single user in the vm, but gee wouldn't that be hugely better then what we have today, where if I want to run 1024 I have to run as superuser? Surely you can see the benefit. -gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root
On Fri, 18 Jul 2003 17:01:46 -0400, Lukas Bradley [EMAIL PROTECTED] wrote: Why don't particular flavors of the OS allow for 1024 to be non-root? Lukas Because then ANYONE with a user account could bind a service to those ports. Then, to protect your server and your users, your only recourse would be to prevent any user accounts on the server EXCEPT root (because you couldn't trust anyone else), which would completely defeat the whole purpose of a MULTI-USER system. Sure, its a GREAT idea to let ANYONE bind a homegrown version of sshd to port 22, that does nothing but log user accounts and passwords from people trying to login, but instead of doing anything else simply returns an innocuous message like server's key is invalid or something like that. Ditto a home-grown version of Apache. If you're the sys-admin, how would be able to trust the version of httpd that was on your system? How would you know it didn't have a trojan or something? You wouldn't, because anyone would be able to bind a service called httpd to port 80. Think about it. John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
It's a java problem as the OSes that block access to 1024 ports give native code api's to open these ports and then loose the root privs. Java should allow those of us who are interested in running java services to have the option to take advantage of this. I've filed a bug. When I get a bug number I'll post it. If you want to comment on how you think it's a good idea or a bad idea you can feel free to do it there. Lets take the rest of this discussion off the tomcat list. -gabe -Original Message- From: Lukas Bradley [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 2:02 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as Non-Root Yes, but is this a Java problem, or is this an OS related problem/feature? IMHO, since UNIX/LINUX is doing the restricting of port traffic, the problem resides with the OS, not with Java. Adding an API to shift the native security model is out of scope. Why don't particular flavors of the OS allow for 1024 to be non-root? Lukas Lawrence, Gabriel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] So I'm going to take that as a no. No one has bothered to pester sun about this. And yes, the way things tend to work today is that people run these things with extra JVMs, although if its running on port 25 they'd all have to be running as root. So I realize that its possible that you could only drop privs down to a single user in the vm, but gee wouldn't that be hugely better then what we have today, where if I want to run 1024 I have to run as superuser? Surely you can see the benefit. -gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running Tomcat as Non-Root
While this is flaming out of control ;-): Let me point out that there is jakarta-commons-sandbox/daemon that allows you to do this right now (i.e. launch as root, Tomcat binds to port 80, and then setuid to a non-privileged user before Tomcat actually handles any request). It also allows you to stop (gracefully) by sending a SIGTERM signal, or to restart by sending a SIGHUP. I'm pretty happy with it on the Linux box that I'm using it on. Lawrence, Gabriel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Hey, that looks really useful. Thanks for pointing it out. Exactly what I'd like to see drawn into the platform, but I guess since its here already no need to wait :-) -gabe -Original Message- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Fri 7/18/2003 7:40 PM To: [EMAIL PROTECTED] Cc: Subject:Re: Running Tomcat as Non-Root While this is flaming out of control ;-): Let me point out that there is jakarta-commons-sandbox/daemon that allows you to do this right now (i.e. launch as root, Tomcat binds to port 80, and then setuid to a non-privileged user before Tomcat actually handles any request). It also allows you to stop (gracefully) by sending a SIGTERM signal, or to restart by sending a SIGHUP. I'm pretty happy with it on the Linux box that I'm using it on. Lawrence, Gabriel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED
Running Tomcat as non-root
Hello All, Can anyone tell me how to set up directory permissions to permit running Tomcat as a non-root user? According to previous posts in the mailing list, I should be using 'su - nobody' when kicking off Tomcat, but nobody doesn't have authorities to write to usr/local. What is the best practise for setting up Tomcat? /usr/local/tomcat should be owned by Root shouldn't it? I'm running Red Hat 6.2. Thanks, ___ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root
Along those same lines, what's the recommended approach for sharing one installation of tomcat with multiple users? Should they each create their own server.xml and set the "home" attribute of the ContextManager to a location beneath their home directory, specifying the -f option to bin/startup.sh? What should the directory structure of that location be? Any more than "conf", "webapps", "logs"? Should each user's TOMCAT_HOME refer to the shared installation directory or their private workspace? I tried answering "yes" to most of the above, and never could get the log files to show up. And I was surprised that the necessary directories (conf, logs, etc) weren't automatically created in the ContextManager's home. I came to the unfortunate conclusion that tomcat works best when each user installs tomcat in his home directory. :-( Anyone had better luck than me? A Yang wrote: Hello All, Can anyone tell me how to set up directory permissions to permit running Tomcat as a non-root user? According to previous posts in the mailing list, I should be using 'su - nobody' when kicking off Tomcat, but nobody doesn't have authorities to write to usr/local. What is the best practise for setting up Tomcat? /usr/local/tomcat should be owned by Root shouldn't it? I'm running Red Hat 6.2. Thanks, ___ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root
/usr/local/tomcat doesn't necessarily have to be owned by root. The only thing you need to so is make sure that whichever user you run tomcat as has write permissions to the logs, conf and work directories (those are the only ones Tomcat writes to I think). This doesn't have to be 'nobody' though. You could create a tomcat or www user for example. And if you want it to be owned by root, that's fine, just use the group permissions to set the write access. A Yang wrote: Hello All, Can anyone tell me how to set up directory permissions to permit running Tomcat as a non-root user? According to previous posts in the mailing list, I should be using 'su - nobody' when kicking off Tomcat, but nobody doesn't have authorities to write to usr/local. What is the best practise for setting up Tomcat? /usr/local/tomcat should be owned by Root shouldn't it? I'm running Red Hat 6.2. Thanks, ___ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] -- --- Geoff Lane [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root
Thanks, Kief. I'm still kind of an Ant newbie, but I think I see what you're doing, and it's pretty cool. :-) I'm still confused about the -f option, though. You're not creating your server.xml in the shared installation directory, are you? I thought tomcat always used $TOMCAT_HOME/conf/server.xml *unless* you specified another location with the -f option. Please clarify. With regard to the log files, the default server.xml has those Logger elements outside the ContextManager element. The docs made me think I could move them inside the ContextManager element, making the log file paths relative to its "home" attribute. I suppose I can live with absolute paths for now, though. Kief Morris wrote: Jim Crossley typed the following on 09:23 AM 2/6/2001 -0500 Along those same lines, what's the recommended approach for sharing one installation of tomcat with multiple users? Should they each create their own server.xml and set the "home" attribute of the ContextManager to a location beneath their home directory, specifying the -f option to bin/startup.sh? I do this, except for the -f option. I actually use Ant to create my server.xml files, here is my template: ContextManager debug="0" workDir="@jsp-dir@" showDebugInfo="true" home="@site-home@" Replace @site-home@ with the subdirectory in your user's home area. Replace @jsp-dir@ with @site-home@/work. What should the directory structure of that location be? Any more than "conf", "webapps", "logs"? You a place for the server to write log files and such, the workDir in the above snippet. $SITE_HOME/work is good. Should each user's TOMCAT_HOME refer to the shared installation directory or their private workspace? The shared installation. This tells Tomcat where to find everything except those things you specifically override, which leads to the next issue ... I tried answering "yes" to most of the above, and never could get the log files to show up. Tomcat was probably trying to write them in $TOMCAT_HOME/logs. You must specifically override this default in the Logger elements of server.xml: Logger name="tc_log" verbosityLevel = "DEBUG" path="@log-dir@/tc.log" / Logger name="servlet_log" verbosityLevel = "DEBUG" path="@log-dir@/servlet.log" / Logger name="JASPER_LOG" verbosityLevel = "DEBUG" path="@log-dir@/jasper.log" You'll need to replace @log-dir@ with the full path to the subdirectory in the user's home area. And I was surprised that the necessary directories (conf, logs, etc) weren't automatically created in the ContextManager's home. No, you'll have to create the directories yourself during the installation. When Tomcat runs it assumes everything is already configured properly. You'll probably need to make a few shell scripts or Ant build files to automate creation of Tomcat sites for your users. Kief - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root
Jim Crossley typed the following on 12:19 PM 2/6/2001 -0500 I'm still confused about the -f option, though. You're not creating your server.xml in the shared installation directory, are you? I thought tomcat always used $TOMCAT_HOME/conf/server.xml *unless* you specified another location with the -f option. Please clarify. Oops, you're right, I am using -f to point to the conf file. Kief - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root
/usr/local/tomcat doesn't necessarily have to be owned by root. The only thing you need to so is make sure that whichever user you run tomcat as has write permissions to the logs, conf and work directories (those are the only ones Tomcat writes to I think). I was a little iffy about leaving the entire conf directory writable by the nobody group, so I wound up just checking the java exceptions and permitting group write access to the affected files - mostly they are the automatically generated files like *.conf-auto. On a side note, I found that I was regenerating the Windows registry settings for redirecting IIS every time I started up Tomcat. This doesn't have to be 'nobody' though. You could create a tomcat or www user for example. Yes, I just figured I would use the same nobody user that apache was using. Would it be best practises to have apache and tomcat running on separate, minimal userids? And if you want it to be owned by root, that's fine, just use the group permissions to set the write access. Do you mean something like: 1 -r--rw-r-- 1 root nobody1024 foo Thanks, ___ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Running Tomcat as non-root user
Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root user
Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Running Tomcat as non-root user
You may be able to write yourself some native code to do the switcheroo for you. Then use the java calls to the native call. The code to do the user switch is readily available (though I have not searched for it now, I have seen it before, and it is also available from apache subject to the ASL) This, of course, makes you relatively platform specific. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Lane Sent: Tuesday, January 16, 2001 12:29 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as non-root user Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Running Tomcat as non-root user
You could use EJB's or a mobile agent framework? -Original Message- From: CPC Livelink Admin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 5:35 PM To: [EMAIL PROTECTED] Subject: RE: Running Tomcat as non-root user You may be able to write yourself some native code to do the switcheroo for you. Then use the java calls to the native call. The code to do the user switch is readily available (though I have not searched for it now, I have seen it before, and it is also available from apache subject to the ASL) This, of course, makes you relatively platform specific. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Lane Sent: Tuesday, January 16, 2001 12:29 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as non-root user Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Running Tomcat as non-root user
You could use apache or squid as a reverse proxy (web accelerator) to accept connections on port 80 then redirect to another port 1024 via the proxy. Bap. You could use EJB's or a mobile agent framework? -Original Message- From: CPC Livelink Admin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 5:35 PM To: [EMAIL PROTECTED] Subject: RE: Running Tomcat as non-root user You may be able to write yourself some native code to do the switcheroo for you. Then use the java calls to the native call. The code to do the user switch is readily available (though I have not searched for it now, I have seen it before, and it is also available from apache subject to the ASL) This, of course, makes you relatively platform specific. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Lane Sent: Tuesday, January 16, 2001 12:29 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as non-root user Kitching - Thanks for the response. I was afraid of that. 'ifconfig' is the utility that lets you see information about the network interfaces, not a firewall. :) Do you run multiple machines with a firewall in front of them to do the redirection (w/ load balancing for example) or do you run the firewall on each machine individually? I asked our operations people about the same thing being done in our load balancer (F5/BigIP) - but apparently it can't be done there. Setting up a redirect on each machine could be a pain - not that I'd have to do it. :) Thanks again. Kitching Simon wrote: Hi Geoff, As far as I know (and I did a fair bit of research on this topic), there is no way for any java app to start as one user, then switch to running as another user. What I do is run tomcat on port 8080 as non-root, and use a firewall product to redirect port 80 - 8080. This works fine. I can't give you great details, as the firewall stuff was set up by a sysadmin (which I am not), but we use Solaris and I think the firewall is "ifconfig". I guess that linux' ipchains or ipfilter or whatever can do the same job. Regards, Simon -Original Message- From: Geoff Lane [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 11:46 PM To: [EMAIL PROTECTED] Subject: Running Tomcat as non-root user In the Tomcat UG under the heading 'Modify and Customize the Batch Files' it says one of the reasons to do so (modify start up scripts) would be: "To switch user from root to some other user using the "su" UNIX command." This is an excellent idea from a security standpoint. But to bind to port 80 (instead of the default high port 8080) root is needed. How many applications do this (Apache for example) is to initially run as root, bind to port 80, and then drop root privileges. Is something like this possible with Tomcat running standalone? Running concurrently with Apache would accomplish this because the AJP connection could be run as any user since it's on a high port. Thanks. -- Geoff Lane [EMAIL PROTECTED] (650) 969-5000 x104 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]