Perhaps tomcat-dev would have your answers. John
> -----Original Message----- > From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 05, 2002 11:48 AM > To: Tomcat Users List > Subject: Re: Why run tomcat as root > > > I don't know of a class in java (and its appropriate native wrapper) > which allows you to switch your effective user id. But it should be > trivial to write (if you know how to write native classes and unix OS > calls). > > The same thougt occurred to me, it should not be that hard to pass > something donw through the JVM that eventually would result > in a setuid() > or something like that. Of course I do not know enough about the > architecture of the JVM I prefer sticking to C code. > > How is the JVM implemented? Take tomcat for example. Is tomcat a: > > a thread of the JVM proces > a proper child process of the JVM?? > something else?? > > Also If a java equivalent of setuid() existed would a > Tomcat process who > after the downgrade has restricted rights still be able to use the > privileged ports after a UID downgrade? > > They way I understood you on the subject of the internal > architecture of > Apache, and keep in mind I have not read the source code back > to front, is > that there is that Apache is not a single process that > downgrades its UID. > What happens is that a tiny stub of Apace code runs as root, > and all it > does is fork non privileged kids to do the work. > > cheers > > KR > > -------------------------------------------------------------- > ------------------------------------------ > Follow cigar smoke, find fat man there.... > -------------------------------------------------------------- > ------------------------------------------ > > > > > Tim Funk <[EMAIL PROTECTED]> > 05.12.2002 15:19 > Please respond to "Tomcat Users List" > > > To: Tomcat Users List <[EMAIL PROTECTED]> > cc: > Subject: Re: Why run tomcat as root > > > The JVM doesn't fork at all. > > The JVM (and therefore tomcat) is one process. The JVM is a virtual > machine with many threads under the same process. Because of OS > constraints - all threads in the same process must run under the same > user id. No thread may run as root unless they are all root. > This is a > limitation with the JVM. > > Apache doesn't have this limitation since it uses multiple > processes to > do its work. > > But in Unix, a process can start as root, do some work, then > change its > effective user id to something less via a OS system call. But > once you > switch down, your stuck and can't go back. So if you need to > do things > later as root, your SOL. > > I don't know of a class in java (and its appropriate native wrapper) > which allows you to switch your effective user id. But it should be > trivial to write (if you know how to write native classes and unix OS > calls). > > Personally - it would be best to run apache in front. That way, it is > very easy later to add load balancing or other features that > may be hard > for tomcat but trivial for apache. > > -Tim > > Kristj�n R�narsson wrote: > > So in summary, if I read you right, you are saying that > java processes > can > > not fork kids that run under another UID as the parent process? > > > > If that is true, this whole situation sux ass and it should not be > > possible to run Tomcat as ROOT at all which would force > people to use a > > port mapper for privileged ports. Has this been changed in Tomcat > versions > > later than 4.0.x?? > > > > > > Mvh > > > > KR > > > -------------------------------------------------------------- > ------------------------------------------ > > Follow cigar smoke, find fat man there.... > > > -------------------------------------------------------------- > ------------------------------------------ > > > > > > > > > > Tim Funk <[EMAIL PROTECTED]> > > 05.12.2002 13:24 > > Please respond to "Tomcat Users List" > > > > > > To: Tomcat Users List <[EMAIL PROTECTED]> > > cc: > > Subject: Re: Why run tomcat as root > > > > > > Apache doesn't completely downgrade itself. Apache still > runs as root. > > But only as little code as possible runs as root for apache. > > > > Apache uses root for binding to the socket (80), (logging?) and the > > other socket happiness where its nice to be root. But > apache has many > > child processes running as a different user. This is where > all the "real > > > work" gets done. > > > > With tomcat - the there is only one process, the JVM. It is > possible to > > bind to port 80 as root to listen on the port, then switch > the entire > > process to another (less priviledged) user id. To do this - > you need > > class which can call the native OS system call. The bad > part about this > > is if something happens to the port 80 and you must reopen it - the > > whole JVM needs restarted. > > > > > > Kristj�n R�narsson wrote: > > > >>I know, I accidentally posted that message before completing it, I > > > > posted > > > >>the rest of it seperately. > >> > >>I have heard alot of people expressing concer about this > behavior of the > > > > > > >>JVM of keeping processes running ar root and I fully > understand why. The > > > > > > >>problem is that if I want to access say Port 80 I have to > run tomcat as > >>root. But I have not been able to figure out a way to downgrade the > >>privileges of the Tomcat process after it has accessed the > privileged > >>resources. I have been told that Apache can donwgrade the privilege > > > > level > > > >>of processes after they have accessed privleged resources > but how do I > > > > do > > > >>this to tomcat? > >> > >> > >> > >> > >> > >> > >>"Ralph Einfeldt" <[EMAIL PROTECTED]> > >>05.12.2002 12:48 > >>Please respond to "Tomcat Users List" > >> > >> > >> To: "Tomcat Users List" <[EMAIL PROTECTED]> > >> cc: > >> Subject: RE: Why run tomcat as root > >> > >> > >>I don't think that you are right. > >> > >>To run tomcat as root means you have less security than having > >>more security. > >> > >>You have to be aware that you open a additional potential > >>security hole for the user that runs tomcat. (That is not > >>specific to tomcat, that is true for any application) > >> > >>E.G.: If tomcat or your application contains an error > >>that let's some user execute a command on the server, > >>this command will have the rigths of the tomcat user. > >> > >>If this user is root, the command can do nearly everything > >>on the server. Otherwise it could just have restricted > >>access to the system. > >> > >>If you want to use port 80 it is better to run tomcat behind > >>a connector, a port mapper or a proxy and use a user with the > >>least possible rights. > >> > >> > >> > >>>-----Original Message----- > >>>From: Kristj�n R�narsson [mailto:[EMAIL PROTECTED]] > >>>Sent: Thursday, December 05, 2002 1:34 PM > >>>To: Tomcat Users List > >>>Subject: Re: Why run tomcat as root > >>> > >>> > >> > >>The Root account is also preferable beacuse the account and > processes > >>that run under it are considerably better protected than those of a > >>normal user, provided you have not castrated the Root > account security > >>wise, ie configured it incorrectly. The less secure the > account you run > >>Tomcat under the easyser it is for a malicious user to > sabotage your > >>webserver by editing or deleting files, killing processes > and so on. > >>The ROOT acount is a citadel on a mountain top, very hard > for a hacker > >>to break, much harder than a normal account. If you run > Tomcat as root, > >>only you and those trusted few that you have mady privy to the root > >>password, can manipulate the Tomcat server. > >> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
