tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "CPC Livelink Admin" <cpclv...@fitzpatrick.cc>
Subject RE: Running Tomcat as non-root user
Date Tue, 16 Jan 2001 17:35:13 GMT

You may be able to write yourself some native code to do the switcheroo for
you. Then use the java calls to the native call. The code to do the user
switch is readily available (though I have not searched for it now, I have
seen it before, and it is also available from apache subject to the ASL)
This, of course, makes you relatively platform specific.

-----Original Message-----
From: ronin@mail.inclusion.net [mailto:ronin@mail.inclusion.net]On
Behalf Of Geoff Lane
Sent: Tuesday, January 16, 2001 12:29 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Running Tomcat as non-root user


Kitching - Thanks for the response. I was afraid of that.
'ifconfig' is the utility that lets you see information about the
network interfaces, not a firewall. :) Do you run multiple machines with
a firewall in front of them to do the redirection (w/ load balancing for
example) or do you run the firewall on each machine individually?

I asked our operations people about the same thing being done in our
load balancer (F5/BigIP) - but apparently it can't be done there.
Setting up a redirect on each machine could be a pain - not that I'd
have to do it. :)
Thanks again.

Kitching Simon wrote:
>
> Hi Geoff,
>
> As far as I know (and I did a fair bit of research on this
> topic), there is no way for any java app to start as one
> user, then switch to running as another user.
>
> What I do is run tomcat on port 8080 as non-root, and
> use a firewall product to redirect port 80 -> 8080. This
> works fine.
>
> I can't give you great details, as the firewall stuff was
> set up by a sysadmin (which I am not), but we use
> Solaris and I think the firewall is "ifconfig". I guess
> that linux' ipchains or ipfilter or whatever can do the
> same job.
>
> Regards,
>
> Simon
> > -----Original Message-----
> > From: Geoff Lane [SMTP:glane@inclusion.net]
> > Sent: Monday, January 15, 2001 11:46 PM
> > To:   tomcat-user@jakarta.apache.org
> > Subject:      Running Tomcat as non-root user
> >
> > In the Tomcat UG under the heading 'Modify and Customize the Batch
> > Files' it says one of the reasons to do so (modify start up scripts)
> > would be: "To switch user from root to some other user using the "su"
> > UNIX command."
> >
> > This is an excellent idea from a security standpoint. But to bind to
> > port 80 (instead of the default high port 8080) root is needed. How many
> > applications do this (Apache for example) is to initially run as root,
> > bind to port 80, and then drop root privileges. Is something like this
> > possible with Tomcat running standalone? Running concurrently with
> > Apache would accomplish this because the AJP connection could be run as
> > any user since it's on a high port.
> >
> > Thanks.
> >

--

Geoff Lane <glane@inclusion.net>
(650) 969-5000 x104

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-user-help@jakarta.apache.org



Mime
View raw message