I don't know of a class in java (and its appropriate native wrapper)
which allows you to switch your effective user id. But it should be
trivial to write (if you know how to write native classes and unix OS
calls).
The same thougt occurred to me, it should not be that hard to pass
something donw through the JVM that eventually would result in a setuid()
or something like that. Of course I do not know enough about the
architecture of the JVM I prefer sticking to C code.
How is the JVM implemented? Take tomcat for example. Is tomcat a:
a thread of the JVM proces
a proper child process of the JVM??
something else??
Also If a java equivalent of setuid() existed would a Tomcat process who
after the downgrade has restricted rights still be able to use the
privileged ports after a UID downgrade?
They way I understood you on the subject of the internal architecture of
Apache, and keep in mind I have not read the source code back to front, is
that there is that Apache is not a single process that downgrades its UID.
What happens is that a tiny stub of Apace code runs as root, and all it
does is fork non privileged kids to do the work.
cheers
KR
--------------------------------------------------------------------------------------------------------
Follow cigar smoke, find fat man there....
--------------------------------------------------------------------------------------------------------
Tim Funk <[EMAIL PROTECTED]>
05.12.2002 15:19
Please respond to "Tomcat Users List"
To: Tomcat Users List <[EMAIL PROTECTED]>
cc:
Subject: Re: Why run tomcat as root
The JVM doesn't fork at all.
The JVM (and therefore tomcat) is one process. The JVM is a virtual
machine with many threads under the same process. Because of OS
constraints - all threads in the same process must run under the same
user id. No thread may run as root unless they are all root. This is a
limitation with the JVM.
Apache doesn't have this limitation since it uses multiple processes to
do its work.
But in Unix, a process can start as root, do some work, then change its
effective user id to something less via a OS system call. But once you
switch down, your stuck and can't go back. So if you need to do things
later as root, your SOL.
I don't know of a class in java (and its appropriate native wrapper)
which allows you to switch your effective user id. But it should be
trivial to write (if you know how to write native classes and unix OS
calls).
Personally - it would be best to run apache in front. That way, it is
very easy later to add load balancing or other features that may be hard
for tomcat but trivial for apache.
-Tim
Kristj�n R�narsson wrote:
> So in summary, if I read you right, you are saying that java processes
can
> not fork kids that run under another UID as the parent process?
>
> If that is true, this whole situation sux ass and it should not be
> possible to run Tomcat as ROOT at all which would force people to use a
> port mapper for privileged ports. Has this been changed in Tomcat
versions
> later than 4.0.x??
>
>
> Mvh
>
> KR
>
--------------------------------------------------------------------------------------------------------
> Follow cigar smoke, find fat man there....
>
--------------------------------------------------------------------------------------------------------
>
>
>
>
> Tim Funk <[EMAIL PROTECTED]>
> 05.12.2002 13:24
> Please respond to "Tomcat Users List"
>
>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> cc:
> Subject: Re: Why run tomcat as root
>
>
> Apache doesn't completely downgrade itself. Apache still runs as root.
> But only as little code as possible runs as root for apache.
>
> Apache uses root for binding to the socket (80), (logging?) and the
> other socket happiness where its nice to be root. But apache has many
> child processes running as a different user. This is where all the "real
> work" gets done.
>
> With tomcat - the there is only one process, the JVM. It is possible to
> bind to port 80 as root to listen on the port, then switch the entire
> process to another (less priviledged) user id. To do this - you need
> class which can call the native OS system call. The bad part about this
> is if something happens to the port 80 and you must reopen it - the
> whole JVM needs restarted.
>
>
> Kristj�n R�narsson wrote:
>
>>I know, I accidentally posted that message before completing it, I
>
> posted
>
>>the rest of it seperately.
>>
>>I have heard alot of people expressing concer about this behavior of the
>
>
>>JVM of keeping processes running ar root and I fully understand why. The
>
>
>>problem is that if I want to access say Port 80 I have to run tomcat as
>>root. But I have not been able to figure out a way to downgrade the
>>privileges of the Tomcat process after it has accessed the privileged
>>resources. I have been told that Apache can donwgrade the privilege
>
> level
>
>>of processes after they have accessed privleged resources but how do I
>
> do
>
>>this to tomcat?
>>
>>
>>
>>
>>
>>
>>"Ralph Einfeldt" <[EMAIL PROTECTED]>
>>05.12.2002 12:48
>>Please respond to "Tomcat Users List"
>>
>>
>> To: "Tomcat Users List" <[EMAIL PROTECTED]>
>> cc:
>> Subject: RE: Why run tomcat as root
>>
>>
>>I don't think that you are right.
>>
>>To run tomcat as root means you have less security than having
>>more security.
>>
>>You have to be aware that you open a additional potential
>>security hole for the user that runs tomcat. (That is not
>>specific to tomcat, that is true for any application)
>>
>>E.G.: If tomcat or your application contains an error
>>that let's some user execute a command on the server,
>>this command will have the rigths of the tomcat user.
>>
>>If this user is root, the command can do nearly everything
>>on the server. Otherwise it could just have restricted
>>access to the system.
>>
>>If you want to use port 80 it is better to run tomcat behind
>>a connector, a port mapper or a proxy and use a user with the
>>least possible rights.
>>
>>
>>
>>>-----Original Message-----
>>>From: Kristj�n R�narsson [mailto:[EMAIL PROTECTED]]
>>>Sent: Thursday, December 05, 2002 1:34 PM
>>>To: Tomcat Users List
>>>Subject: Re: Why run tomcat as root
>>>
>>>
>>
>>The Root account is also preferable beacuse the account and processes
>>that run under it are considerably better protected than those of a
>>normal user, provided you have not castrated the Root account security
>>wise, ie configured it incorrectly. The less secure the account you run
>>Tomcat under the easyser it is for a malicious user to sabotage your
>>webserver by editing or deleting files, killing processes and so on.
>>The ROOT acount is a citadel on a mountain top, very hard for a hacker
>>to break, much harder than a normal account. If you run Tomcat as root,
>>only you and those trusted few that you have mady privy to the root
>>password, can manipulate the Tomcat server.
>>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
