tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Turner <tomcat-u...@johnturner.com>
Subject Re: Running Tomcat as Non-Root
Date Fri, 18 Jul 2003 21:00:04 GMT

Not for me.  I only have one Java service and that's Tomcat.  I run Apache 
on port 80, and everything is just fine, and I don't have to worry (too 
much) about anything, as Apache's downgrading mechanism is well tested.

So, as a sys-admin, there's no benefit to me whatosever, as I will most 
likely never run anything Java-based as a service when things like 
procmail, qmail, openLDAP, etc. all exist already and are actively 
developed.  My only need for a Java application is Tomcat, and possibly 
some EJB container at some point in the future though I highly doubt it.

This could easily get into a flame war...my point is, just because you CAN 
write something in Java doesn't automatically mean you SHOULD, especially 
from the point of view of someone like me who has many systems to manage 
and knows full well that there are tools out there that are battle-tested 
and suit the required purpose just fine without rewriting them in the 
latest-greatest language.

There are thousands of things written in Visual Basic.  Most are garbage.  
But, when "Visual Basic 2004" comes out, everyone fights for the chance to 
rewrite everything in the new language.  Most of that is garbage as well.

For me to decide that a Java app should replace a tool that already exists 
(whatever its written in), you'll have to persuade me that it is better in 
some way than the old tool, and "better" does not mean "written in Java".  
Thus, the potential number of Java-based services for me is very small, and 
the ones I need already exist and I am comfortable with how they work.

I have many production systems.  All of them are firewall-restricted for 
inbound connections from remote hosts, limited to ports 22, 80, and 443 
except for the mail server which allows 25 and 110.  Where do I need a JVM 
that can bind to one of those ports?  I don't.  OpenSSH is well-tested (22) 
, Apache rocks on 80 and 443, and qmail/sendmail rock on 25, as does 
something like qpopper on 110.  After that, I'm done, and I would guess 
that the Sun folks have probably made similar assessments.

John

On Fri, 18 Jul 2003 13:39:24 -0700, Lawrence, Gabriel <glawrence@ucsd.edu> 
wrote:

> So I'm going to take that as a no. No one has bothered to pester sun
> about this.
>
> And yes, the way things tend to work today is that people run these
> things with extra JVMs, although if its running on port 25 they'd all
> have to be running as root.
>
> So I realize that its possible that you could only drop privs down to a
> single user in the vm, but gee wouldn't that be hugely better then what
> we have today, where if I want to run <1024 I have to run as superuser?
>
> Surely you can see the benefit.
> -gabe
>
> -----Original Message-----
> From: John Turner [mailto:tomcat-user@johnturner.com] Sent: Friday, July 
> 18, 2003 1:35 PM
> To: Tomcat Users List
> Subject: Re: Running Tomcat as Non-Root
>
>
> So every Java-based service would need its own JVM instance?  Would you 
> want your Java-based MTA on port 25 running as your Tomcat user or vice 
> versa?  Isn't that how it would work if you configured the user account
> in the JVM...all services would run as the same user?  Seems like that
> would end up being pretty messy to manage.
>
> John
>
> On Fri, 18 Jul 2003 13:24:42 -0700, Lawrence, Gabriel
> <glawrence@ucsd.edu> wrote:
>
>> Right. I'm saying has anyone looked into submitting something to sun
>> asking them to make it possible to start up a process as root an then
>> drop down to another user like most native services do?
>>
>> I want that bridge between native user credentials and capabilities,
> and
>> the ability to switch which nave user I'm running on (assuming the
> user
>> I'm running with has that capability.)
>>
>> This is missing in Java.
>> -gabe
>>
>> -----Original Message-----
>> From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com] Sent: Friday, July
> 18,
>> 2003 1:21 PM
>> To: Tomcat Users List
>> Subject: RE: Running Tomcat as Non-Root
>>
>>
>> Howdy,
>> Huh???  Have you looked at
> java.security.AccessController#doPrivileged()
>> ?
>>
>> The issue is that port binding is a native operation and there's no
>> bridge between the JDK java.security.Principal and the native user
>> credentials needed to open the port.
>>
>> Yoav Shapira
>> Millennium ChemInformatics
>>
>>
>>> -----Original Message-----
>>> From: Lawrence, Gabriel [mailto:glawrence@ucsd.edu]
>>> Sent: Friday, July 18, 2003 4:06 PM
>>> To: Tomcat Users List
>>> Subject: RE: Running Tomcat as Non-Root
>>>
>>> Has any one submitted a request to get dropping privs into the JDK?
> Or
>>> escalating privs to grab one of these ports and then dropping them
>>> again?
>>>
>>> As I see this request over and over again on this list I think there
> is
>>> a large number of people who would like to see it or would vote for
> it
>>> in the java bug parade.
>>>
>>> It also seems rather important for running a secure service to manage
>>> the privs. I know I could use a security manager/policy to restrict
>> what
>>> can happen, but this doesn't restrict native libraries loaded into
> the
>>> process and requires more work on our part then just allowing the JDK
>> to
>>> loose its privs...
>>>
>>> -gabe
>>>
>>> -----Original Message-----
>>> From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
>>> Sent: Friday, July 18, 2003 12:58 PM
>>> To: Tomcat Users List
>>> Subject: RE: Running Tomcat as Non-Root
>>>
>>>
>>> Howdy,
>>> Are you running on a unix OS?  If so, root is normally required if
> you
>>> want to run on a port < 1024.  There are workarounds, but they vary
> in
>>> complexity and portability, and none are that good at this point.  If
>>> you're running on a port higher than 1024, than you don't need to run
>> as
>>> root at all.
>>>
>>> Yoav Shapira
>>> Millennium ChemInformatics
>>>
>>>
>>>> -----Original Message-----
>>>> From: Latesha Williams [mailto:lwilliam@amnh.org]
>>>> Sent: Friday, July 18, 2003 3:55 PM
>>>> To: Tomcat Users List
>>>> Subject: Running Tomcat as Non-Root
>>>>
>>>> Is it possible to run Tomcat as a non-root user, with root as the
>> owner
>>> of
>>>> the entire Tomcat directory structure and grant file/directory
>>> permissions
>>>> to the non-root account?  Please advise.
>>>>
>>>>
>>>>
>>>>
>>>>
> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>> This e-mail, including any attachments, is a confidential business
>>> communication, and may contain information that is confidential,
>>> proprietary and/or privileged.  This e-mail is intended only for the
>>> individual(s) to whom it is addressed, and may not be saved, copied,
>>> printed, disclosed or used by anyone else.  If you are not the(an)
>>> intended recipient, please immediately delete this e-mail from your
>>> computer system and notify the sender.  Thank you.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>> This e-mail, including any attachments, is a confidential business
>> communication, and may contain information that is confidential,
>> proprietary and/or privileged.  This e-mail is intended only for the
>> individual(s) to whom it is addressed, and may not be saved, copied,
>> printed, disclosed or used by anyone else.  If you are not the(an)
>> intended recipient, please immediately delete this e-mail from your
>> computer system and notify the sender.  Thank you.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message