tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 23371] - running tomcat standalone as non-root on port 443
Date Wed, 24 Sep 2003 05:18:29 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23371>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23371

running tomcat standalone as non-root on port 443

hauser@acm.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|Normal                      |Enhancement
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |



------- Additional Comments From hauser@acm.org  2003-09-24 05:18 -------
Tim, Thanks for the quick reply.

Unfortunately, on the page you reference I don't see port 80 mentioned.
- "How to I force all my pages to run under HTTPS?"
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23371 mentions
security-constraints in web.xml once a httpd has taken port 80 and 443, but not
how I can convince linux to give a port < 1000 to a non-root user in the first
place.

- "Tomcat as root and security issues" basically mentions squid or other port
forwarders... ==> if the answer is that Tomcat can't run under 443 or 80
standalone as non-root, then, my suggestion is to add another paragraph to the
security FAQ!

Looking around for similar useful information, for example
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/RUNNING.txt only hints at port
8080 but not sub 1000 ports.

In many environments firewalls restrict outgoing traffic to 80 and 443. Does
this mean that all the users of these environments can never see a standalone
tomcat site?

Or, at least has anybody built and successfully deployed a chroot'ing
starter-utility that could be easily used for this as a second-best fix?

Mime
View raw message