tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kitching Simon <Simon.Kitch...@orange.ch>
Subject RE: ANYONE gotten tomcat3.1 stand-alone to work with linux ?
Date Fri, 20 Oct 2000 12:46:48 GMT
Hi Charles,

As Adi says, in unix ports < 1024 are only 
openable from programs running as root. 
This is deliberate, and very wise as it prevents
users on that machine from pretending to
be system services like "logon" or "telnet".
You can imagine the fun someone could
have impersonating these....:-)

I'm pretty sure this feature is not changeable 
without hacking the kernel source code. 

There are the following standard workarounds:

(a) run tomcat as root, but with a java2 security
policy file that restricts its access rights, ie
$TOMCAT_OPTS=\
-Djava.security.manager=default\
-Djava.security.policy=some_java_policy_file

For sites that aren't too concerned about security
this may be sufficient. Even if a hacker tricks tomcat
into running their code, they also need to trick the
JVM into bypassing its security policy - not easy.

(b) use apache or other webserver as a front-end
to tomcat. Tomcat then runs its AJP port on 
8007 or something else > 1024. For a description
of how Apache can run safely on port 80, see the
apache documentation.

(c) use a firewall product to redirect connection requests
on port 80 to a port like 8080.


The truly paranoid can try a combination of all the above...

Regards,

Simon


> -----Original Message-----
> From:	Adi Eyal [SMTP:adi.eyal@gloviz.co.za]
> Sent:	Friday, October 20, 2000 2:25 PM
> To:	'tomcat-user@jakarta.apache.org'
> Subject:	RE: ANYONE gotten tomcat3.1 stand-alone to work with linux ?
> 
> Hi Charles
> 
> In linux, and most other Unixes I imagine, only root can bind to ports
> below
> 1023 (i think thats the limit). I don't know how easy (or wise) it is to
> change that policy.
> 
> Adi
> 
> -----Original Message-----
> From: Charles Sabourdin [mailto:zouylll@yahoo.com]
> Sent: 20 October 2000 02:27
> To: tomcat-user@jakarta.apache.org
> Subject: Re: ANYONE gotten tomcat3.1 stand-alone to work with linux ?
> 
> 
>   Hi!
>   This thread might be wrong but I use tomcat
> standalone, on RedHat 6.2 with jdk 1.3 (firstly IBM,
> know i try the SUN version). And I have a probleme
> that seem relative. If I use tomcat has a user on port
> 8080, it works. If I use tomcat has a user on port 80,
> I have the same error (FATAL:java.net.BindException:
> Permission denied
> java.net.BindException: Permission denied
>         at java.net.PlainSocketImpl.socketBind(Native
> Method)). If I use tomcat has root [or command su] on
> port 80, then it works. It is surely link to the
> permission policy of my linux, but I am still a newbis
> in linux.
> regards
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Messenger - Talk while you surf!  It's FREE.
> http://im.yahoo.com/

Mime
View raw message