tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Running as user tomcat [authbind]
Date Mon, 26 Feb 2018 14:59:32 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Coty and André,

On 2/23/18 6:58 PM, Coty Sutherland wrote:
> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
> I've been planning to push a solution for that, just haven't gotten
> around to it yet.
> 
> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
> <aw@ice-sa.com> wrote:
>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>> 
>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>> 
>>>> Hi Chris,
>>>> 
>>>> 
>>>> 
>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris 
>>>>> <ccheltenham-ext@philasd.org>:
>>>>> 
>>>>> Hello All,
>>>>> 
>>>>> I am trying to run tomcat as a non root user.
>>>>> 
>>>>> It will start as the tomcat user but it will not bind to
>>>>> connector 443 unless it starts as root.
>>>>> 
>>>>> Does anyone know why?
>>>> 
>>>> 
>>>> Unix will not let you open ports below 1024 as non-root
>>>> user!
>>>> 
>>>> You may use a proxy in front of it or maybe use iptables to
>>>> be able to use standard ports AND user tomcat.
>>> 
>>> 
>>> See also :
>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>> 
>> 
>> Or if you are running under Linux, check : 
>> https://en.wikipedia.org/wiki/Authbind

I'm curious ... can authbind be used to *restrict* processes as well
as to grant them access? For example, let's say that I want Tomcat to
be able to bind to port 8080, it generally will be able to do that
unless some other process has bound already. But let's say I
specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
use authbind to set a blacklist of ports, too? Or, can I blacklist
everything and set up a whitelist that contains only port 8080?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC
7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn
lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU
KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di
ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9
cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae
q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8
FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD
R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw
m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv
7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz
2JHYqvyhsydWUPEFcoRO+9I888Q=
=2rU6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message