standalone production?
Is it considered safe to run tomcat as a stand-alone production server on ports 80 and 443? This requires tomcat to run as root (or so I have read) and it is therefore not recommended. Using apache forks child processes that run as nobody. But I don' want to use apache. Again, is it safe to run tomcat as a stand-alone production server on port 80 and 443 as root? Or is there some way to deny root permissions and still use these ports? __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: standalone production?
What I think you need to consider is the risk of running TC in this manner dependant on where and what the TC instance is being deployed for. The risk MAY be acceptable if you are intending on running a TC instance internally on an intranet or something similar, as then you only have to worry about internal threats to its operation. (Considering that your external defenses [if you have an external access point] are up to the task of keeping attackers out from the outside) But lets not forget that a large proportion of attacks do come internally. If you are running this TC in an internet facing environment it is generally considered good practice to have a proxy of some sort for the TC instance in an DMZ and have the TC running behind the DMZ protected (hopefully) from most attacks. Putting an application server into the DMZ is generally considered a bad practice due to the impact that can be had should an attacker compromise it (of course dependant on the relative risk of having it there). Also you need to consider what exactly this TC is doing, and what risk is posed by its operation being modifed/destroyed by an attacker and what the impact of such a event could be. Once you know your risk on running it this way then you can decide whether this configuration is safe for you or not. Of course you should always aim to reduce your risk (and the exposure caused by the risk) but balanced against the costs of implementing and maintaining a highly secure system. If you have system admins and whatnot for your production server then they should know alot about this already and can help you out deciding what to do. Regards, Shane. -Original Message- From: Justin Jaynes [mailto:[EMAIL PROTECTED] Sent: Thursday, 27 May 2004 2:46 PM To: [EMAIL PROTECTED] Subject: standalone production? Is it considered safe to run tomcat as a stand-alone production server on ports 80 and 443? This requires tomcat to run as root (or so I have read) and it is therefore not recommended. Using apache forks child processes that run as nobody. But I don' want to use apache. Again, is it safe to run tomcat as a stand-alone production server on port 80 and 443 as root? Or is there some way to deny root permissions and still use these ports? __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: standalone production?
I am intending to run in a fully internet exposed environment and I only have ONE physical machine to use for deployment. It will be directly connected to the internet at co-location service provider. So ... In a conversation from yesterday, it appears another user had a similar question. How to run on port 80, securly. Is it possible to run tomcat with a non-priviliged user? What is this JSVC approach they referred to, and what is the solution that was given? Where can I go to read more? OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: standalone production?
Justin, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html and http://marc.theaimsgroup.com/?l=tomcat-userm=108373546715111w=2 and http://jakarta.apache.org/commons/daemon/ Use directions from the first two. The third is for description of product. Doug www.parsonstechnical.com - Original Message - From: Justin Jaynes [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 3:19 AM Subject: RE: standalone production? I am intending to run in a fully internet exposed environment and I only have ONE physical machine to use for deployment. It will be directly connected to the internet at co-location service provider. So ... In a conversation from yesterday, it appears another user had a similar question. How to run on port 80, securly. Is it possible to run tomcat with a non-priviliged user? What is this JSVC approach they referred to, and what is the solution that was given? Where can I go to read more? OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: standalone production?
The http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html isn't the way for doing jsvc that I used (it didn't work right). You should already have jsvc.tar.gz in the bin dir for tomcat; unpack it, and follow the instructions in INSTALL.txt for building jsvc. There's a page for it at http://jakarta.apache.org/commons/daemon/jsvc.html as well. Then, you use the tomcat/bin/jsvc-src/native/Tomcat5.sh script to start and stop it, after first editing that script to get the values in there right. Mine is as follows (that $DAEMON_HOME/jsvc-src/jsvc \ one was important, since it defaulted to a different directory structure than the one that was created by my jsvc and tomcat unpacking). Then I did chown on the files in the tomcat directory to be my non-root 'tomcat' user, fixed the server.xml to have non-SSL Coyote HTTP/1.1 Connector on port 80 and SSL Coyote HTTP/1.1 Connector on port 443 and it seems to be working like a champ. I also got the logging running by un-commenting the AccessLogValve at the end of server.xml, and changed the pattern=common to pattern=combined so I could get apache-type logs like I had before. MUCH nicer than fooling with those connectors. Now, if I can only figure out why the 'referer' is always blank when somebody first hits my site, I'll be very happy... rj #!/bin/sh ## # # Copyright 2004 The Apache Software Foundation. # # Licensed under the Apache License, Version 2.0 (the License); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an AS IS BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## # # Small shell script to show how to start/stop Tomcat using jsvc # If you want to have Tomcat running on port 80 please modify the server.xml # file: # #!-- Define a non-SSL HTTP/1.1 Connector on port 80 -- #Connector className=org.apache.catalina.connector.http.HttpConnector # port=80 minProcessors=5 maxProcessors=75 # enableLookups=true redirectPort=8443 # acceptCount=10 debug=0 connectionTimeout=6/ # # That is for Tomcat-5.0.x (Apache Tomcat/5.0) # # Adapt the following lines to your configuration JAVA_HOME=/usr/java/j2sdk1.4.2_03 CATALINA_HOME=/usr/local/tomcat5 DAEMON_HOME=/usr/local/tomcat5/bin TOMCAT_USER=tomcat TMP_DIR=/var/tmp CATALINA_OPTS=-Xms64m -Xmx200m CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $CATALINA_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/bootstrap.jar case $1 in start) # # Start Tomcat # $DAEMON_HOME/jsvc-src/jsvc \ -user $TOMCAT_USER \ -home $JAVA_HOME \ -Dcatalina.home=$CATALINA_HOME \ -Djava.io.tmpdir=$TMP_DIR \ -outfile $CATALINA_HOME/logs/catalina.out \ -errfile '1' \ $CATALINA_OPTS \ -cp $CLASSPATH \ org.apache.catalina.startup.Bootstrap # # To get a verbose JVM #-verbose \ # To get a debug of jsvc. #-debug \ ;; stop) # # Stop Tomcat # PID=`cat /var/run/jsvc.pid` kill $PID ;; *) echo Usage tomcat.sh start/stop exit 1;; esac At 03:19 AM 5/27/2004, Justin Jaynes wrote: I am intending to run in a fully internet exposed environment and I only have ONE physical machine to use for deployment. It will be directly connected to the internet at co-location service provider. So ... In a conversation from yesterday, it appears another user had a similar question. How to run on port 80, securly. Is it possible to run tomcat with a non-priviliged user? What is this JSVC approach they referred to, and what is the solution that was given? Where can I go to read more? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: standalone production?
Hi, Good post. I've added it to the FAQ: http://jakarta.apache.org/tomcat/faq/security.html#jsvcExample. Yoav Shapira Millennium Research Informatics -Original Message- From: RJ [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 8:17 AM To: Tomcat Users List Subject: RE: standalone production? The http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html isn't the way for doing jsvc that I used (it didn't work right). You should already have jsvc.tar.gz in the bin dir for tomcat; unpack it, and follow the instructions in INSTALL.txt for building jsvc. There's a page for it at http://jakarta.apache.org/commons/daemon/jsvc.html as well. Then, you use the tomcat/bin/jsvc-src/native/Tomcat5.sh script to start and stop it, after first editing that script to get the values in there right. Mine is as follows (that $DAEMON_HOME/jsvc-src/jsvc \ one was important, since it defaulted to a different directory structure than the one that was created by my jsvc and tomcat unpacking). Then I did chown on the files in the tomcat directory to be my non-root 'tomcat' user, fixed the server.xml to have non-SSL Coyote HTTP/1.1 Connector on port 80 and SSL Coyote HTTP/1.1 Connector on port 443 and it seems to be working like a champ. I also got the logging running by un-commenting the AccessLogValve at the end of server.xml, and changed the pattern=common to pattern=combined so I could get apache-type logs like I had before. MUCH nicer than fooling with those connectors. Now, if I can only figure out why the 'referer' is always blank when somebody first hits my site, I'll be very happy... rj #!/bin/sh ### ### # # Copyright 2004 The Apache Software Foundation. # # Licensed under the Apache License, Version 2.0 (the License); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an AS IS BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ### ### # # Small shell script to show how to start/stop Tomcat using jsvc # If you want to have Tomcat running on port 80 please modify the server.xml # file: # #!-- Define a non-SSL HTTP/1.1 Connector on port 80 -- #Connector className=org.apache.catalina.connector.http.HttpConnector # port=80 minProcessors=5 maxProcessors=75 # enableLookups=true redirectPort=8443 # acceptCount=10 debug=0 connectionTimeout=6/ # # That is for Tomcat-5.0.x (Apache Tomcat/5.0) # # Adapt the following lines to your configuration JAVA_HOME=/usr/java/j2sdk1.4.2_03 CATALINA_HOME=/usr/local/tomcat5 DAEMON_HOME=/usr/local/tomcat5/bin TOMCAT_USER=tomcat TMP_DIR=/var/tmp CATALINA_OPTS=-Xms64m -Xmx200m CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $CATALINA_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/bootstrap.jar case $1 in start) # # Start Tomcat # $DAEMON_HOME/jsvc-src/jsvc \ -user $TOMCAT_USER \ -home $JAVA_HOME \ -Dcatalina.home=$CATALINA_HOME \ -Djava.io.tmpdir=$TMP_DIR \ -outfile $CATALINA_HOME/logs/catalina.out \ -errfile '1' \ $CATALINA_OPTS \ -cp $CLASSPATH \ org.apache.catalina.startup.Bootstrap # # To get a verbose JVM #-verbose \ # To get a debug of jsvc. #-debug \ ;; stop) # # Stop Tomcat # PID=`cat /var/run/jsvc.pid` kill $PID ;; *) echo Usage tomcat.sh start/stop exit 1;; esac At 03:19 AM 5/27/2004, Justin Jaynes wrote: I am intending to run in a fully internet exposed environment and I only have ONE physical machine to use for deployment. It will be directly connected to the internet at co-location service provider. So ... In a conversation from yesterday, it appears another user had a similar question. How to run on port 80, securly. Is it possible to run tomcat with a non-priviliged user? What is this JSVC approach they referred to, and what is the solution that was given? Where can I go to read more? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete
Re: standalone production?
If this is the case, then why not fix the http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html page to show the correct(updated) information? Doug - Original Message - From: Shapira, Yoav [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 9:19 AM Subject: RE: standalone production? Hi, Good post. I've added it to the FAQ: http://jakarta.apache.org/tomcat/faq/security.html#jsvcExample. Yoav Shapira Millennium Research Informatics -Original Message- From: RJ [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 8:17 AM To: Tomcat Users List Subject: RE: standalone production? The http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html isn't the way for doing jsvc that I used (it didn't work right). You should already have jsvc.tar.gz in the bin dir for tomcat; unpack it, and follow the instructions in INSTALL.txt for building jsvc. There's a page for it at http://jakarta.apache.org/commons/daemon/jsvc.html as well. Then, you use the tomcat/bin/jsvc-src/native/Tomcat5.sh script to start and stop it, after first editing that script to get the values in there right. Mine is as follows (that $DAEMON_HOME/jsvc-src/jsvc \ one was important, since it defaulted to a different directory structure than the one that was created by my jsvc and tomcat unpacking). Then I did chown on the files in the tomcat directory to be my non-root 'tomcat' user, fixed the server.xml to have non-SSL Coyote HTTP/1.1 Connector on port 80 and SSL Coyote HTTP/1.1 Connector on port 443 and it seems to be working like a champ. I also got the logging running by un-commenting the AccessLogValve at the end of server.xml, and changed the pattern=common to pattern=combined so I could get apache-type logs like I had before. MUCH nicer than fooling with those connectors. Now, if I can only figure out why the 'referer' is always blank when somebody first hits my site, I'll be very happy... rj #!/bin/sh ### ### # # Copyright 2004 The Apache Software Foundation. # # Licensed under the Apache License, Version 2.0 (the License); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an AS IS BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ### ### # # Small shell script to show how to start/stop Tomcat using jsvc # If you want to have Tomcat running on port 80 please modify the server.xml # file: # #!-- Define a non-SSL HTTP/1.1 Connector on port 80 -- #Connector className=org.apache.catalina.connector.http.HttpConnector # port=80 minProcessors=5 maxProcessors=75 # enableLookups=true redirectPort=8443 # acceptCount=10 debug=0 connectionTimeout=6/ # # That is for Tomcat-5.0.x (Apache Tomcat/5.0) # # Adapt the following lines to your configuration JAVA_HOME=/usr/java/j2sdk1.4.2_03 CATALINA_HOME=/usr/local/tomcat5 DAEMON_HOME=/usr/local/tomcat5/bin TOMCAT_USER=tomcat TMP_DIR=/var/tmp CATALINA_OPTS=-Xms64m -Xmx200m CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $CATALINA_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/bootstrap.jar case $1 in start) # # Start Tomcat # $DAEMON_HOME/jsvc-src/jsvc \ -user $TOMCAT_USER \ -home $JAVA_HOME \ -Dcatalina.home=$CATALINA_HOME \ -Djava.io.tmpdir=$TMP_DIR \ -outfile $CATALINA_HOME/logs/catalina.out \ -errfile '1' \ $CATALINA_OPTS \ -cp $CLASSPATH \ org.apache.catalina.startup.Bootstrap # # To get a verbose JVM #-verbose \ # To get a debug of jsvc. #-debug \ ;; stop) # # Stop Tomcat # PID=`cat /var/run/jsvc.pid` kill $PID ;; *) echo Usage tomcat.sh start/stop exit 1;; esac At 03:19 AM 5/27/2004, Justin Jaynes wrote: I am intending to run in a fully internet exposed environment and I only have ONE physical machine to use for deployment. It will be directly connected to the internet at co-location service provider. So ... In a conversation from yesterday, it appears another user had a similar question. How to run on port 80, securly. Is it possible to run tomcat with a non-priviliged user? What is this JSVC approach they referred to, and what is the solution that was given? Where can I go to read more? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments
RE: standalone production?
Hi, That'll be done too, but those docs only get updated when we do a new release, and I didn't want to wait to post the content. Yoav Shapira Millennium Research Informatics -Original Message- From: Parsons Technical Services [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:00 AM To: Tomcat Users List Subject: Re: standalone production? If this is the case, then why not fix the http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html page to show the correct(updated) information? Doug - Original Message - From: Shapira, Yoav [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 9:19 AM Subject: RE: standalone production? Hi, Good post. I've added it to the FAQ: http://jakarta.apache.org/tomcat/faq/security.html#jsvcExample. Yoav Shapira Millennium Research Informatics -Original Message- From: RJ [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 8:17 AM To: Tomcat Users List Subject: RE: standalone production? The http://jakarta.apache.org/tomcat/tomcat-5.0-doc/setup.html isn't the way for doing jsvc that I used (it didn't work right). You should already have jsvc.tar.gz in the bin dir for tomcat; unpack it, and follow the instructions in INSTALL.txt for building jsvc. There's a page for it at http://jakarta.apache.org/commons/daemon/jsvc.html as well. Then, you use the tomcat/bin/jsvc-src/native/Tomcat5.sh script to start and stop it, after first editing that script to get the values in there right. Mine is as follows (that $DAEMON_HOME/jsvc-src/jsvc \ one was important, since it defaulted to a different directory structure than the one that was created by my jsvc and tomcat unpacking). Then I did chown on the files in the tomcat directory to be my non-root 'tomcat' user, fixed the server.xml to have non-SSL Coyote HTTP/1.1 Connector on port 80 and SSL Coyote HTTP/1.1 Connector on port 443 and it seems to be working like a champ. I also got the logging running by un-commenting the AccessLogValve at the end of server.xml, and changed the pattern=common to pattern=combined so I could get apache-type logs like I had before. MUCH nicer than fooling with those connectors. Now, if I can only figure out why the 'referer' is always blank when somebody first hits my site, I'll be very happy... rj #!/bin/sh ## # ### # # Copyright 2004 The Apache Software Foundation. # # Licensed under the Apache License, Version 2.0 (the License); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an AS IS BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## # ### # # Small shell script to show how to start/stop Tomcat using jsvc # If you want to have Tomcat running on port 80 please modify the server.xml # file: # #!-- Define a non-SSL HTTP/1.1 Connector on port 80 -- #Connector className=org.apache.catalina.connector.http.HttpConnector # port=80 minProcessors=5 maxProcessors=75 # enableLookups=true redirectPort=8443 # acceptCount=10 debug=0 connectionTimeout=6/ # # That is for Tomcat-5.0.x (Apache Tomcat/5.0) # # Adapt the following lines to your configuration JAVA_HOME=/usr/java/j2sdk1.4.2_03 CATALINA_HOME=/usr/local/tomcat5 DAEMON_HOME=/usr/local/tomcat5/bin TOMCAT_USER=tomcat TMP_DIR=/var/tmp CATALINA_OPTS=-Xms64m -Xmx200m CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $CATALINA_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/bootstrap.jar case $1 in start) # # Start Tomcat # $DAEMON_HOME/jsvc-src/jsvc \ -user $TOMCAT_USER \ -home $JAVA_HOME \ -Dcatalina.home=$CATALINA_HOME \ -Djava.io.tmpdir=$TMP_DIR \ -outfile $CATALINA_HOME/logs/catalina.out \ -errfile '1' \ $CATALINA_OPTS \ -cp $CLASSPATH \ org.apache.catalina.startup.Bootstrap # # To get a verbose JVM #-verbose \ # To get a debug of jsvc. #-debug \ ;; stop) # # Stop Tomcat # PID=`cat /var/run/jsvc.pid` kill $PID ;; *) echo Usage tomcat.sh start/stop exit 1;; esac At 03:19 AM 5/27/2004, Justin Jaynes wrote: I am intending to run in a fully internet exposed environment and I only have ONE physical machine to use for deployment. It will be directly connected to the internet at co-location service provider. So ... In a conversation from yesterday, it appears another user had a similar question. How to run on port 80, securly. Is it possible to run tomcat
