tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Amadi <>
Subject Re: Solved! Tomcat on port 80 without root, on Linux
Date Tue, 17 Sep 2002 08:04:11 GMT
Nikola Milutinovic wrote:

> Mr. Tomcat wrote:
>> "Can I run Tomcat on port 80 not as root?" seems to come up with some
>> regularity on this list.  Web servers have to be able to safely process
>> untrusted, dangerous data from any host on the Internet.  Obviously,
>> they should run at the lowest possible privilege level, so that if the
>> server is compromised, the attacker will be limited in what he can do.
> Every server should run at the lowest possible level, preferably in 
> CHROOT. The dissadvantage is the overhead and duplication of files. 
> Some of the most popular can be run this way, BIND, OpenSSH, (Sendmail 
> ?), Cyrus IMAP (just user part),...
>> Java minimizes this problem.  Triggering a buffer overflow with some
>> kind of input to Tomcat would be extremely difficult.  However, a web
>> app might have a bug that allows an attacker to trick it into writing to
>> a file which it shouldn't write to, or something like that.  The fewer
>> things that the JVM itself can do, the better.  Hence, running the
>> server as a special user with limited access is smart.  Running it as
>> root is not smart, if it can possibly be avoided.
> True. Although, perhaps it is better to run a robust front-end in 
> heavy loaded environments, like Apache.
>> There has been a long-standing misfeature in Unix that only root can
>> bind to ports less than 1024 ("privileged ports").
> This a flaming material - watch out! Every UNIX admin (like me) will 
> scream at the mention of this being a misfeature. If ports < 1024 are 
> considered reserved for some services, then I really wouldn't want an 
> unpriviledged process to bind to any of them. That would mean that 
> even if I have a CHROOT-ed unpriviledged process, say DNS, that got 
> compromized, it could turn my server into a platform for any kind of 
> service, not just the one that got compromized.
>> Usually, this means
>> that Tomcat standalone must run as root, or the Linux NAT tools must be
>> used to map port 80 to some higher port.  Running as root is obviously
>> undesirable.  Using NAT may be a good idea, but it would be nice to have
>> another option: Why not tweak the kernel to remove the "security
>> feature"?
> Because we got used to UNIX semantics. Only "root" can bind to 
> priviledged ports and we either like it or got used to it.
>> If you want to build a custom kernel that lets all users bind to low
>> ports, edit this file in the kernel: include/net/sock.h, and change
>> PROT_SOCK from 1024 to 0.  Recompile, install, and now any user can bind
>> process to any port.
>> Before you do this, make sure you think through all the implications of
>> it.  If you have untrusted users on the machine with this modified
>> kernel, they will now be able to run any kind of network services they
>> want to.  This is obviously bad, so don't use this kind of kernel on any
>> machine with untrusted users.  It could have other implications, too, so
>> use this modification at your own risk.
> No user is trusted, as far as I'm concerned. Except fo "root".
> Anyway, thanks for posting this to the "knowledge base". Anybody doing 
> this better be sure (s)he knows what (s)he's doing.
> Nix.
> -- 
> To unsubscribe, e-mail:   
> <>
> For additional commands, e-mail: 
> <>
Interesting topic as I have always stuck to the logic to run everything 
above 1024 Now I have got a clearer reason why.
Nice One!!

Chuck Amadi
ICT Dept Systems Programmer
Rhaglenydd Systemau Adran ICT

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message