tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Coty Sutherland <csuth...@apache.org>
Subject Re: [OT] Running as user tomcat [authbind]
Date Mon, 26 Feb 2018 15:29:08 GMT
On Mon, Feb 26, 2018 at 9:59 AM, Christopher Schultz
<chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Coty and André,
>
> On 2/23/18 6:58 PM, Coty Sutherland wrote:
>> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
>> I've been planning to push a solution for that, just haven't gotten
>> around to it yet.
>>
>> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
>> <aw@ice-sa.com> wrote:
>>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>>
>>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>>
>>>>>
>>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>>> <ccheltenham-ext@philasd.org>:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am trying to run tomcat as a non root user.
>>>>>>
>>>>>> It will start as the tomcat user but it will not bind to
>>>>>> connector 443 unless it starts as root.
>>>>>>
>>>>>> Does anyone know why?
>>>>>
>>>>>
>>>>> Unix will not let you open ports below 1024 as non-root
>>>>> user!
>>>>>
>>>>> You may use a proxy in front of it or maybe use iptables to
>>>>> be able to use standard ports AND user tomcat.
>>>>
>>>>
>>>> See also :
>>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>>
>>>
>>> Or if you are running under Linux, check :
>>> https://en.wikipedia.org/wiki/Authbind
>
> I'm curious ... can authbind be used to *restrict* processes as well
> as to grant them access? For example, let's say that I want Tomcat to
> be able to bind to port 8080, it generally will be able to do that
> unless some other process has bound already. But let's say I
> specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
> use authbind to set a blacklist of ports, too? Or, can I blacklist
> everything and set up a whitelist that contains only port 8080?

I'm not sure about authbind, but selinux is effectively a whitelist
which only includes a handful of ports (in http_port_t)...assuming
that it's enabled.

>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC
> 7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn
> lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU
> KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di
> ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9
> cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae
> q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8
> FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD
> R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw
> m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv
> 7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz
> 2JHYqvyhsydWUPEFcoRO+9I888Q=
> =2rU6
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message