tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cees van de Griend <c...@pobox.com>
Subject Re: Why run tomcat as root
Date Thu, 05 Dec 2002 19:27:10 GMT
On Thursday 05 December 2002 15:23, Kristján Rúnarsson wrote:
> This leaves me with the option of running apache as a normal user and
> setting up some sort of a redirect service that runs as root which is a
> pretty unelegant solution compared to a tomcat that suid's it self down
> after accessing privileged resources.

Don't panic!
I have traveled your route already.

It's quite easy to redirect remote traffic to an other port:
# iptables -t nat -A PREROUTING -p tcp -d <your_IP> --dport 80 \
	-j REDIREDT --to-port 8080

You have to change $TOMCAT_HOME/conf/server.xml and add te option proxyPort to 
each connector.

If this is not enough, I can give you my firewall script which blocks all 
incomming traffic but allow remote traffic to the low and high HTTP-ports and 
setup the DNAT.

The difficult part is to setup *local* traffic to the server. This kind of 
traffic never reaches the PREROUTING part of the chain. If you don't allow 
browsers on your server, you are done. If you - as do I - use your server as 
your desktop machine, you also need a *local* port forwarder. 

If you want, I can give you my setup and the solutions I found.

> Cheers
>
> KR

Regards,
Cees.

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message