tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: Separate List (FKA: Re: Running Tomcat3 on port 80)
Date Mon, 16 Jun 2003 14:46:42 GMT

Howdy,

>So it's possible?  I'd love to be part of the effort if it is....for
some
>reason, I didn't think it was.

Nothing is impossible technically ;)  It's just varying degrees of
cleanliness.  Tomcat just runs inside a JVM, not much to do there in so
far as root privileges.

But there are many other options in the unix world.  

For example, on my dev machine (Solaris 8), I don't know the root
password, so I can't log in as root.  But I have sudo permission to
everything.  So I do 
sudo startup.sh 

And voila, I'm running tomcat 4.1.24 standalone on port 80.  No special
configuration (just changed server.xml from 8080 to 80), no java
permissions/policies to worry about or modify, etc.

So sudo on Solaris works for me.  I'm not as familiar with linux as I
should be, but I know sudo is available for it.  An article with sudo
rationale, examples, and download links for linux can be found here:
http://www.zdnet.com.au/newstech/enterprise/story/0,2000048640,20263478,
00.htm
(among many other places).

This would require the consent of your system administrator, of course,
who would have to give you sudo $CATALINA_HOME/bin/startup.sh.  But I
see this is a valid safety requirement, not a hindrance.

When I do this, my server on solaris runs as the root user, which is not
good from a security perspective.  Oddly enough, the logs are written as
the nobody user which is much better.  

So maybe we could have another startup script, call it
privilegedStartup.sh, which starts the server as root, to let the port
binding succeed, and then changes its own uid to something less than
root, e.g. the nobody user.

All of this comes with the caveat that, IMHO, the <1023 port restriction
for normal users is a good thing.  If you're going around it, you will
lose some security and it's your own problem to worry about.

Yoav Shapira



This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message