To reply to your previous question: yes, running on a unix OS. . .also,
running on ports above 1024, but receiving "Connection Refused" error
messages in localhost_log when starting Tomcat as a non-root user.


-----Original Message-----
From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 4:25 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root

Right. I'm saying has anyone looked into submitting something to sun
asking them to make it possible to start up a process as root an then
drop down to another user like most native services do?

I want that bridge between native user credentials and capabilities, and
the ability to switch which nave user I'm running on (assuming the user
I'm running with has that capability.)

This is missing in Java.
-gabe

-----Original Message-----
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 1:21 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root


Howdy,
Huh???  Have you looked at java.security.AccessController#doPrivileged()
?

The issue is that port binding is a native operation and there's no
bridge between the JDK java.security.Principal and the native user
credentials needed to open the port.

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED]
>Sent: Friday, July 18, 2003 4:06 PM
>To: Tomcat Users List
>Subject: RE: Running Tomcat as Non-Root
>
>Has any one submitted a request to get dropping privs into the JDK? Or
>escalating privs to grab one of these ports and then dropping them
>again?
>
>As I see this request over and over again on this list I think there is
>a large number of people who would like to see it or would vote for it
>in the java bug parade.
>
>It also seems rather important for running a secure service to manage
>the privs. I know I could use a security manager/policy to restrict
what
>can happen, but this doesn't restrict native libraries loaded into the
>process and requires more work on our part then just allowing the JDK
to
>loose its privs...
>
>-gabe
>
>-----Original Message-----
>From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
>Sent: Friday, July 18, 2003 12:58 PM
>To: Tomcat Users List
>Subject: RE: Running Tomcat as Non-Root
>
>
>Howdy,
>Are you running on a unix OS?  If so, root is normally required if you
>want to run on a port < 1024.  There are workarounds, but they vary in
>complexity and portability, and none are that good at this point.  If
>you're running on a port higher than 1024, than you don't need to run
as
>root at all.
>
>Yoav Shapira
>Millennium ChemInformatics
>
>
>>-----Original Message-----
>>From: Latesha Williams [mailto:[EMAIL PROTECTED]
>>Sent: Friday, July 18, 2003 3:55 PM
>>To: Tomcat Users List
>>Subject: Running Tomcat as Non-Root
>>
>>Is it possible to run Tomcat as a non-root user, with root as the
owner
>of
>>the entire Tomcat directory structure and grant file/directory
>permissions
>>to the non-root account?  Please advise.
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>This e-mail, including any attachments, is a confidential business
>communication, and may contain information that is confidential,
>proprietary and/or privileged.  This e-mail is intended only for the
>individual(s) to whom it is addressed, and may not be saved, copied,
>printed, disclosed or used by anyone else.  If you are not the(an)
>intended recipient, please immediately delete this e-mail from your
>computer system and notify the sender.  Thank you.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended only for the
individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to