Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 73716 invoked from network); 11 Jan 2006 06:44:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 11 Jan 2006 06:44:55 -0000 Received: (qmail 22534 invoked by uid 500); 11 Jan 2006 06:44:42 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 22369 invoked by uid 500); 11 Jan 2006 06:44:41 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 22354 invoked by uid 99); 11 Jan 2006 06:44:40 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jan 2006 22:44:40 -0800 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [204.127.198.35] (HELO rwcrmhc11.comcast.net) (204.127.198.35) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jan 2006 22:44:39 -0800 Received: from best.com (c-24-6-61-94.hsd1.ca.comcast.net[24.6.61.94]) by comcast.net (rwcrmhc11) with SMTP id <2006011106441701300d7ug4e>; Wed, 11 Jan 2006 06:44:17 +0000 Message-ID: <43C4A93D.7090306@best.com> Date: Tue, 10 Jan 2006 22:44:13 -0800 From: Maurice Yarrow User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Apache + Tomcat, Tomcat only handles JSP in localhost References: <200601101359.16701.oded@geek.co.il> In-Reply-To: <200601101359.16701.oded@geek.co.il> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hello Oded A conventional, simple, and accepted secure solution to the problem of running tomcat as root is to daemon su -c /home/tomcat/tcstart.sh tomcat from root which transfers tomcat to run under process ownership of user tomcat. Of course, you must create a user "tomcat", and of course, this user could be given any arbitrary name. An excellent article and cookbook method for setting this up is provided at http://www-128.ibm.com/developerworks/java/library/l-secjav.html ("Securing Linux for Java Services", D. M. Sosnoski) which is an extensive explanation of setting up iptables to route port 80 correctly to tomcat, and which provides two small but very effective shell scripts (the first of which is started by root and which includes the important "daemon su..." line above): Listing 3. Tomcat service definition and Listing 4. Sample tcstart.sh In addition, there is information included also about "chroot jail", as the author says "for the truly paranoid". Maurice Yarrow Oded Arbel wrote: > > The most important reason that I use an Apache frontend for tomcat, > which is probably not relevant to the original poster, is that under > Unix only root processes can open port 80 (the default HTTP port), and > so if tomcat is configured to serve pages on port 80, it must run as > root. > This is a serious security concern. Apache knows how to open port 80 and > then change to a non-privileged user, something which AFAIK tomcat - > being based on Java which does not support the concept of operating > system privileges - cannot do. > > There for, some kind of frontend is required. While we are in the > process of providing a frontend, it might as well be Apache which > offers additional features: reverse-proxying and caching and support > for a huge number of scripting languages (python, perl or ruby > anyone ?) and other modules. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org