On Mon, Feb 26, 2018 at 9:59 AM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Coty and André, > > On 2/23/18 6:58 PM, Coty Sutherland wrote: >> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :) >> I've been planning to push a solution for that, just haven't gotten >> around to it yet. >> >> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat) >> <a...@ice-sa.com> wrote: >>> On 23.02.2018 23:32, André Warnier (tomcat) wrote: >>>> >>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote: >>>>> >>>>> Hi Chris, >>>>> >>>>> >>>>> >>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris >>>>>> <ccheltenham-...@philasd.org>: >>>>>> >>>>>> Hello All, >>>>>> >>>>>> I am trying to run tomcat as a non root user. >>>>>> >>>>>> It will start as the tomcat user but it will not bind to >>>>>> connector 443 unless it starts as root. >>>>>> >>>>>> Does anyone know why? >>>>> >>>>> >>>>> Unix will not let you open ports below 1024 as non-root >>>>> user! >>>>> >>>>> You may use a proxy in front of it or maybe use iptables to >>>>> be able to use standard ports AND user tomcat. >>>> >>>> >>>> See also : >>>> https://commons.apache.org/proper/commons-daemon/jsvc.html >>> >>> >>> Or if you are running under Linux, check : >>> https://en.wikipedia.org/wiki/Authbind > > I'm curious ... can authbind be used to *restrict* processes as well > as to grant them access? For example, let's say that I want Tomcat to > be able to bind to port 8080, it generally will be able to do that > unless some other process has bound already. But let's say I > specifically DO NOT want Tomcat to be able to bind to port 8443. Can I > use authbind to set a blacklist of ports, too? Or, can I blacklist > everything and set up a whitelist that contains only port 8080?
I'm not sure about authbind, but selinux is effectively a whitelist which only includes a handful of ports (in http_port_t)...assuming that it's enabled. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC > 7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn > lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU > KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di > ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9 > cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae > q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8 > FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD > R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw > m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv > 7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz > 2JHYqvyhsydWUPEFcoRO+9I888Q= > =2rU6 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org