Yes,
we're adding support for setuid after the HTTP server-sockets have been
connected, this disables the ability to add new sites on a live server among
other things though but works for some stuff. Also note that we see java
security as more important (but will of course support setuid for paranoid
(not neccessarily a bad thing ;) admins who only trust their OS and not
java). But talking purely technically we see "java -jar orion.jar -secure"
as a more important (and resulting in better security) thing to support,
it's experimental right now so if you have any problems using it please send
us a mail describing the problem. Java(2) security is a lot more fine
grained/tuneable, simply a fresher/better arch but that said one doesnt
exclude the other, so using -Dnative.user=myOrionUser (will be added to the
next jar, working on .so's/components for some of the popular platforms)
and -secure at the same time is a very feasable way to go. (-secure alone is
a lot nicer to use though when you're dealing with a multi-user site with
apps owned by several users etc).
/Magnus Stenman, the Orion team
PS. The startup servlet is certainly possible, yes, this approach is
currently used by a few deployed systems such as for instance
http://www.vpro.nl.
----- Original Message -----
From: "Thomas Munro" <[EMAIL PROTECTED]>
To: "Orion-Interest" <[EMAIL PROTECTED]>
Cc: "Orion-Interest" <[EMAIL PROTECTED]>
Sent: Friday, April 14, 2000 12:19 PM
Subject: Re: Orion on Linux
> Hello
>
> Other Java server software does exactly that.
>
> Except from weblogic.properties:
> --------------------------------
> # UNIX only: If running on port 80 on UNIX, enable the setUID program
> #weblogic.system.enableSetUID=false
>
> # UNIX only: Unprivileged user to setUID to after starting up
> # WebLogic Server on port 80
> #weblogic.system.nonPrivUser=nobody
> --------------------------------
>
> To accomplish this, a tiny shared library is supplied for Linux, Solaris,
> HPUX and Irix which provides a JNI interface to setuid. The documentation
> recommends that you set up a special user to own all files and run the
> process (although you start it as root of course).
>
> I don't see any reason why Orion shouldn't come with a similar JNI
> solution - it's super easy to code, and essential for a secure server. The
> only thing that will change (unfortunately) is that somewhere an
> administrator will have to specifiy a path to the shared library,
> according to their operating system when they set up Orion.
>
> As a dirty nasty hack to solve your problem in the meantime Elias, you
> could make a 'plugin' in the form of a load-at-startup servlet which calls
> a setuid shared library (10 lines of C) in its init() method (and
> configure the relevant security settings).
>
> My 10 cents.
>
> Thomas Munro
> Software Engineer
> Grey Interactive Paris
>
> On Thu, 13 Apr 2000, Elias Martensson wrote:
>
> > On Sat, 8 Apr 2000 [EMAIL PROTECTED] wrote:
> >
> > > While it is true that all services running on UNIX and requiring a
bind on
> > > ports below 1024 must start as root, it isn't accurate to say that all
of
> > > them run as root. All of the servers that we run on our production
servers
> > > provide us with a way to switch the user id once the service has
grabbed
> > > the privileged port. We don't run any servers that accept connections
from
> > > the Internet and process requests running as root. This is going to be
a
> > > major problem for most hosting providers.
> >
> > I'm perfectly aware of this. The problem is not in Orion though, but in
> > Java. Java does not allow any way of changing user ID's, becuase user
ID's
> > is a Unix concept that doesnt fit very well in the platform independent
> > metaphor.
> >
> > The solution would be JNI, but I highly suspect that the Orion don't
want
> > to implement such a hack. I think they want to stay with pure Java.
Hence
> > my suggestion of allowing some for of plugin so that a third-party can
> > implement this feature. I need it too.
>
