You could use apache or squid as a reverse proxy (web accelerator) to accept
connections on port 80 then redirect to another port >1024 via the proxy.
Bap.
> You could use EJB's or a mobile agent framework?
>
> -----Original Message-----
> From: CPC Livelink Admin [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 16, 2001 5:35 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Running Tomcat as non-root user
>
>
>
> You may be able to write yourself some native code to do the switcheroo for
> you. Then use the java calls to the native call. The code to do the user
> switch is readily available (though I have not searched for it now, I have
> seen it before, and it is also available from apache subject to the ASL)
> This, of course, makes you relatively platform specific.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Geoff Lane
> Sent: Tuesday, January 16, 2001 12:29 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Running Tomcat as non-root user
>
>
> Kitching - Thanks for the response. I was afraid of that.
> 'ifconfig' is the utility that lets you see information about the
> network interfaces, not a firewall. :) Do you run multiple machines with
> a firewall in front of them to do the redirection (w/ load balancing for
> example) or do you run the firewall on each machine individually?
>
> I asked our operations people about the same thing being done in our
> load balancer (F5/BigIP) - but apparently it can't be done there.
> Setting up a redirect on each machine could be a pain - not that I'd
> have to do it. :)
> Thanks again.
>
> Kitching Simon wrote:
> >
> > Hi Geoff,
> >
> > As far as I know (and I did a fair bit of research on this
> > topic), there is no way for any java app to start as one
> > user, then switch to running as another user.
> >
> > What I do is run tomcat on port 8080 as non-root, and
> > use a firewall product to redirect port 80 -> 8080. This
> > works fine.
> >
> > I can't give you great details, as the firewall stuff was
> > set up by a sysadmin (which I am not), but we use
> > Solaris and I think the firewall is "ifconfig". I guess
> > that linux' ipchains or ipfilter or whatever can do the
> > same job.
> >
> > Regards,
> >
> > Simon
> > > -----Original Message-----
> > > From: Geoff Lane [SMTP:[EMAIL PROTECTED]]
> > > Sent: Monday, January 15, 2001 11:46 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Running Tomcat as non-root user
> > >
> > > In the Tomcat UG under the heading 'Modify and Customize the Batch
> > > Files' it says one of the reasons to do so (modify start up scripts)
> > > would be: "To switch user from root to some other user using the "su"
> > > UNIX command."
> > >
> > > This is an excellent idea from a security standpoint. But to bind to
> > > port 80 (instead of the default high port 8080) root is needed. How many
> > > applications do this (Apache for example) is to initially run as root,
> > > bind to port 80, and then drop root privileges. Is something like this
> > > possible with Tomcat running standalone? Running concurrently with
> > > Apache would accomplish this because the AJP connection could be run as
> > > any user since it's on a high port.
> > >
> > > Thanks.
> > >
>
> --
>
> Geoff Lane <[EMAIL PROTECTED]>
> (650) 969-5000 x104
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
