RE: Orion on unix systems
Looks like HP has a SDK/JRE: http://www.unix.hp.com/java/java2/sdkrte/index.html -Jason -Original Message- From: Juan Lorandi (Chile) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 12:23 PM To: Orion-Interest Subject: RE: Orion on unix systems If you have a JVM for HPUX, yes... The only JVM that *may* run in HPUX that I know of is Kaffe (http://www.kaffe.org) HTH JP -Original Message- From: Derek Akers [mailto:[EMAIL PROTECTED]] Sent: Martes, 16 de Enero de 2001 12:25 To: Orion-Interest Subject: Orion on unix systems Question: can orion run on HPUX?
Re: Orion on unix systems
Hi Derek, Sure it can. Check out the FAQ on orionserver.com. I'm running Orion on FreeBSD myself. BTW: You should make your question more specific. What HPUX version (10, 11, etc) are you referring to, and what JRE/JDK did you have in mind (if any)? -- Ernst Derek Akers wrote: > Question: can orion run on HPUX? > > >
RE: Orion on unix systems
If you have a JVM for HPUX, yes... The only JVM that *may* run in HPUX that I know of is Kaffe (http://www.kaffe.org) HTH JP -Original Message- From: Derek Akers [mailto:[EMAIL PROTECTED]] Sent: Martes, 16 de Enero de 2001 12:25 To: Orion-Interest Subject: Orion on unix systems Question: can orion run on HPUX?
RE: Orion on Unix (again)
Ronald, Thanks for your help, tried it but didn't make the trick. Lorin, Thanks. But I don't get what you means by "not exiting, just killing the terminal". How you kill a terminal? Is it using a kill command from another terminal? I thought killing the terminal will exting it automatically, isn't it? Thanks and best regards -Original Message- From: Lorin Kobashigawa-Bates [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 11, 2001 2:24 AM To: Orion-Interest Cc: Orion-Interest Subject: Re: Orion on Unix (again) Yes we had this problem also. I wasn't able to figure out why in the short time frame we had, < 1hr and it doesn't happen on our solaris boxes only the development box our client had set up. So my assumption is it's some kind of paranoid security setting on Solaris. We got around it by not exiting, just killing the terminal. Not the solution I'd prefer, but it seemed to work. -Lkb On Tue, 9 Jan 2001, Sach Jobb wrote: > First of all, don't ever use telnet for anything. It's a clear text > protocol and anyone snooping the line can easily snag your username and > password. The suitable replacement for telnet (actually all rsh > services) is SSH (secure shell) which uses encrypted sessions, and is thus > difficult to monitor and crack. For moving files between machines you can > use scp (secure copy) or sftp (secure ftp), because, ftp is also a clear > text protocol. > > I use OpenSSH (http://www.openssh.com/) because it's opensource and made > by paranoid BSD people. OpenSSH will require OpenSSL > (http://www.openssl.org/) which is also open source. There _might_ be > binaries out there for solaris but more likely you will have to compile > them yourself. A usefull site is (http://www.sunfreeware.com/) as they > have alot of binaries for solaris. > > For fun with packet sniffing checkout dsniff > (http://www.monkey.org/~dugsong/dsniff/). > > Now, on to the problem you are having. We had the same problem as we've > recently deployed on a Solaris box ourselves, but i can't remember how we > fixed it so i'm forwarding this to my co-worker lorin who maybe able to > answer it for you. > > > thanks, > sach > > > On Wed, 10 Jan 2001, Heng Chee, Lee - SG wrote: > > > Hi, > > First all, thanks for answering my previous question about running orion as > > non-root user. I have another question which I couldn't find any info in the > > orionsupport site. > > I would like to be able to telnet from a remote machine to my Sun box and > > start the orion remotely, so far so good, but once I exit from my telnet > > client, the orion.jar process died. I tried to use "nohup java -jar > > orion.jar&" but this doesn't help. > > I think the question above is the same as to keep the orion running even > > after the shell that you use to start up the orion process has terminated. > > Is it possible to run orion as a daemon process? > > > > > > > > > > > > Thanks and best regards > > Lee > > >
Re: Orion on Unix (again)
Yes we had this problem also. I wasn't able to figure out why in the short time frame we had, < 1hr and it doesn't happen on our solaris boxes only the development box our client had set up. So my assumption is it's some kind of paranoid security setting on Solaris. We got around it by not exiting, just killing the terminal. Not the solution I'd prefer, but it seemed to work. -Lkb On Tue, 9 Jan 2001, Sach Jobb wrote: > First of all, don't ever use telnet for anything. It's a clear text > protocol and anyone snooping the line can easily snag your username and > password. The suitable replacement for telnet (actually all rsh > services) is SSH (secure shell) which uses encrypted sessions, and is thus > difficult to monitor and crack. For moving files between machines you can > use scp (secure copy) or sftp (secure ftp), because, ftp is also a clear > text protocol. > > I use OpenSSH (http://www.openssh.com/) because it's opensource and made > by paranoid BSD people. OpenSSH will require OpenSSL > (http://www.openssl.org/) which is also open source. There _might_ be > binaries out there for solaris but more likely you will have to compile > them yourself. A usefull site is (http://www.sunfreeware.com/) as they > have alot of binaries for solaris. > > For fun with packet sniffing checkout dsniff > (http://www.monkey.org/~dugsong/dsniff/). > > Now, on to the problem you are having. We had the same problem as we've > recently deployed on a Solaris box ourselves, but i can't remember how we > fixed it so i'm forwarding this to my co-worker lorin who maybe able to > answer it for you. > > > thanks, > sach > > > On Wed, 10 Jan 2001, Heng Chee, Lee - SG wrote: > > > Hi, > > First all, thanks for answering my previous question about running orion as > > non-root user. I have another question which I couldn't find any info in the > > orionsupport site. > > I would like to be able to telnet from a remote machine to my Sun box and > > start the orion remotely, so far so good, but once I exit from my telnet > > client, the orion.jar process died. I tried to use "nohup java -jar > > orion.jar&" but this doesn't help. > > I think the question above is the same as to keep the orion running even > > after the shell that you use to start up the orion process has terminated. > > Is it possible to run orion as a daemon process? > > > > > > > > > > > > Thanks and best regards > > Lee > > >
Re: Orion on Unix (again)
Try this: nohup java -jar orion.jar > /dev/null 2>&1 < /dev/null & you can also redirect the application mesages to somewhere sensible using the orion.jar command line >Envelope-to: [EMAIL PROTECTED] >From: "Heng Chee, Lee - SG" <[EMAIL PROTECTED]> >To: Orion-Interest <[EMAIL PROTECTED]> >Subject: Orion on Unix (again) >Date: Wed, 10 Jan 2001 11:55:32 +0800 >MIME-Version: 1.0 >Content-Transfer-Encoding: 7bit > >Hi, >First all, thanks for answering my previous question about running orion as >non-root user. I have another question which I couldn't find any info in the >orionsupport site. >I would like to be able to telnet from a remote machine to my Sun box and >start the orion remotely, so far so good, but once I exit from my telnet >client, the orion.jar process died. I tried to use "nohup java -jar >orion.jar&" but this doesn't help. >I think the question above is the same as to keep the orion running even >after the shell that you use to start up the orion process has terminated. >Is it possible to run orion as a daemon process? > > > > > >Thanks and best regards >Lee >
Re: Orion on Unix (again)
First of all, don't ever use telnet for anything. It's a clear text protocol and anyone snooping the line can easily snag your username and password. The suitable replacement for telnet (actually all rsh services) is SSH (secure shell) which uses encrypted sessions, and is thus difficult to monitor and crack. For moving files between machines you can use scp (secure copy) or sftp (secure ftp), because, ftp is also a clear text protocol. I use OpenSSH (http://www.openssh.com/) because it's opensource and made by paranoid BSD people. OpenSSH will require OpenSSL (http://www.openssl.org/) which is also open source. There _might_ be binaries out there for solaris but more likely you will have to compile them yourself. A usefull site is (http://www.sunfreeware.com/) as they have alot of binaries for solaris. For fun with packet sniffing checkout dsniff (http://www.monkey.org/~dugsong/dsniff/). Now, on to the problem you are having. We had the same problem as we've recently deployed on a Solaris box ourselves, but i can't remember how we fixed it so i'm forwarding this to my co-worker lorin who maybe able to answer it for you. thanks, sach On Wed, 10 Jan 2001, Heng Chee, Lee - SG wrote: > Hi, > First all, thanks for answering my previous question about running orion as > non-root user. I have another question which I couldn't find any info in the > orionsupport site. > I would like to be able to telnet from a remote machine to my Sun box and > start the orion remotely, so far so good, but once I exit from my telnet > client, the orion.jar process died. I tried to use "nohup java -jar > orion.jar&" but this doesn't help. > I think the question above is the same as to keep the orion running even > after the shell that you use to start up the orion process has terminated. > Is it possible to run orion as a daemon process? > > > > > > Thanks and best regards > Lee >
Re: orion on unix
On Sun, Jan 07, 2001 at 07:43:42PM -0500, Scott M. Stirling wrote: > Throwing Apache in the front end is bound to decrease performance, > versus using Orion's HTTP server. It's certainly the easiest (and a > good portable one -- better than ipchains) solution, but I didn't > mention because it defeats the purpose of using Orion as the web server > for performance. If you configure Apache as a Proxy Http-Server for orion running on an unpriviliged (>1024) port should not really decrease performance. Have a look for the mod_rewrite and mod_proxy Documentation on your favourite www.apache.org mirror. > The real problem expressed by the original email is that regular > restarts of the server are necessary. All Java app servers suffer from > this in one place or another. Eventually, they'll all have to be able > to dynamically reload configuration settings, and any class or > component. Orion is all ready well on the way toward that goal with > dynamic reload of ears, EJB jars, servlets, etc. Restarting of the orion appserver are possible via ormi (see admin.jar), the apache webserver IMHO should not be needed to restart. Happy hacking, -billy. -- Philipp Meier o-matic GmbH Geschäftsführer Pfarrer-Weiß-Weg 16-18 Tel.: +49-(0)700-66284236 89077 Ulm PGP signature
RE: orion on unix
This answer is essentially correct. Unix or Solaris uses ports up to 1024 as privileged and you need to have root access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 07, 2001 9:31 AM To: Orion-Interest Subject: Re: orion on unix There is a util available on Linux called "ipchains" that can redirect all requests from port 80 to 8080. After you set it up with root user, u can run Orion as non-root on port 8080 and without clients even noticing it. Find out if there is such a tool on Unix that u are running. Never run Orion as ROOT. Even Orion team says that there might be some security leaks if running Orion as root. There is tutorial that i've read @ www.orionsupport.com called "Running Orion on Linux" that has explanation about users and everything. Take a look maybe it will help. And ofcourse same website has tutorial named "Running Orion on Unix" maybe it has instructions that u need. I hope this helps -Anton - Original Message - From: "Ronald Hatcher" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: Sunday, January 07, 2001 6:15 AM Subject: RE: orion on unix > This is because the default http port 80 is privliged. If you don't want to > run as root, reconfigure Orion to run on a non-privliged port such as 8080 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Heng Chee, Lee > - SG > Sent: 07 January 2001 08:54 > To: Orion-Interest > Subject: orion on unix > > > Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > Solaris machine. > Honestly, my knowledge on unix system admin is very limited. > Ok, now I have this problem: > I have untar the orion archieve to a folder called orion, this folder and > all the files and subfolders under it are belongs to a user name 'orion', > the group access permission for this folder (and all it's files) are also > called 'orion'. When I log in to unix as user 'orion' and try to start up > the app server by typing java -jar orion.jar, I get a message "Error > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to > have root access just for starting up the orion server.(Our project still in > the development phase so we need to start and stop the server quite often) > > I am puzzle with this error because I have already set the owner of all the > files under orion folder to be 'orion', and orion app server is using it's > own http-server internally so it shouldn't has any permission problem. > I think that orion app server might try to access some of the unix system > file which must have root access, if this is the case can someone tell me > which file it it? > Or is there any alternative work around for this problem? > > > > > > Thanks and best regards > Lee > > > > > > > >
RE: orion on unix
Hi all you guys (and gals) out there, Thanks a lot for your answer. It is very informative. I use sudo and it solve my problem. Thanks again Lee -Original Message- From: Sach Jobb [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 4:32 AM To: Orion-Interest Subject: Re: orion on unix Are you trying to start orion on port 80? In UNIX-based systems ports 1-1024 are called "privilaged ports" and can only be bound to as user root. Try changing the port to 8080 or something else above 1024 in ~/config/default-web-site.xml. Now you are going to tell me that it has to be bound to port 80 and you really don't want to run it as user root for obvious security reasons. This discussion belongs to the "how to start orion without being root," of which there are many solutions that can be found by searching through this list archive. cheers, sach On Sun, 7 Jan 2001, Heng Chee, Lee - SG wrote: > Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > Solaris machine. > Honestly, my knowledge on unix system admin is very limited. > Ok, now I have this problem: > I have untar the orion archieve to a folder called orion, this folder and > all the files and subfolders under it are belongs to a user name 'orion', > the group access permission for this folder (and all it's files) are also > called 'orion'. When I log in to unix as user 'orion' and try to start up > the app server by typing java -jar orion.jar, I get a message "Error > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to > have root access just for starting up the orion server.(Our project still in > the development phase so we need to start and stop the server quite often) > > I am puzzle with this error because I have already set the owner of all the > files under orion folder to be 'orion', and orion app server is using it's > own http-server internally so it shouldn't has any permission problem. > I think that orion app server might try to access some of the unix system > file which must have root access, if this is the case can someone tell me > which file it it? > Or is there any alternative work around for this problem? > > > > > > Thanks and best regards > Lee > > > > >
Re: orion on unix
Easy workaround: Start orion as root. Use ormi to restart it. (basically java -jar admincontrol.jar ipaddr I think) - Original Message - From: "Heng Chee, Lee - SG" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: Sunday, January 07, 2001 9:54 AM Subject: orion on unix > Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > Solaris machine. > Honestly, my knowledge on unix system admin is very limited. > Ok, now I have this problem: > I have untar the orion archieve to a folder called orion, this folder and > all the files and subfolders under it are belongs to a user name 'orion', > the group access permission for this folder (and all it's files) are also > called 'orion'. When I log in to unix as user 'orion' and try to start up > the app server by typing java -jar orion.jar, I get a message "Error > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to > have root access just for starting up the orion server.(Our project still in > the development phase so we need to start and stop the server quite often) > > I am puzzle with this error because I have already set the owner of all the > files under orion folder to be 'orion', and orion app server is using it's > own http-server internally so it shouldn't has any permission problem. > I think that orion app server might try to access some of the unix system > file which must have root access, if this is the case can someone tell me > which file it it? > Or is there any alternative work around for this problem? > > > > > > Thanks and best regards > Lee > > > >
RE: orion on unix
Scott,
There is some JNI code to do this on OrionSupport - should be up soon.
Mike
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M.
> Stirling
> Sent: Monday, January 08, 2001 11:44 AM
> To: Orion-Interest
> Subject: RE: orion on unix
>
>
> I was going to suggest something similar, which is to start up Orion as
> root and then have the process change UID to a non-root user, just like
> Apache. But starting the process as root is precisely the thing the
> user was trying to avoid.
>
> Throwing Apache in the front end is bound to decrease performance,
> versus using Orion's HTTP server. It's certainly the easiest (and a
> good portable one -- better than ipchains) solution, but I didn't
> mention because it defeats the purpose of using Orion as the web server
> for performance.
>
> The security problems with running an app server as root can be dealt
> with by using Java policy files. I've written them for JRun in the
> past, to restrict access to just the directories, files and ports
> necessary. But running an app server is a risky proposition anyway.
> Even if it's not running as root it probably has access to all your
> businesses' critical data via database access and Web-based business
> transactions; people's credit card numbers, etc. These are much more
> valuable than the files on your file system.
>
> The real problem expressed by the original email is that regular
> restarts of the server are necessary. All Java app servers suffer from
> this in one place or another. Eventually, they'll all have to be able
> to dynamically reload configuration settings, and any class or
> component. Orion is all ready well on the way toward that goal with
> dynamic reload of ears, EJB jars, servlets, etc.
>
> A related problem is the distinction between development and production
> -- why can't each developer belong to the same group, have them all stop
> and start Orion on a port above 1024 for development purposes, and then
> deal with this port 80 problem when it's time to move production. In
> most organizations I've dealt with, the developers aren't the ones
> stopping and starting the production server anyway.
>
> Scott Stirling
> West Newton, MA
>
> On 07 Jan 2001 13:44:34 -0800, Tony Wilson wrote:
> > The best way to get around this, I think, is to use apache as a
> front end
> > and connect Orion to it.
> > There is excellent documentation on how to do this on
> > www.orionsupport.com... when it comes up. It think it is one of the
> > featured links on the right hand menu.
> >
> > Apache runs anywhere, pretty much.
> >
> > What you do is start up apache as root. Apache grabs whatever lower
> > numbered ports it needs (including 80) and then changes its user to
> > something else (usually 'nobody'). You change the configuration in
> > /etc/httpd/conf/httpd.conf (at least on linux) and then you can
> connect to
> > it using standard procedures supported by both apache and orion.
> >
> > The main benefit of this is that you can run jrun as whomever
> you would like
> > ('orion' is a good username) and you only have to worry about the file
> > permissions from that point on.
> >
> >
> > You DEFINITELY don't want to run orion, or any other Servlet
> Container as
> > root. The main reason is security. One of your developers could very
> > easily write a piece of code that would wipe out the entire
> hard drive, or
> > worse... and if anyone was able to hack in... all they would
> need to do is
> > write up a jsp file, and they have all the access they want.
> >
> > Anyway. The apache thing works for us. We are able to do a
> lot of things
> > with this. One example is Virtual hosting. Each developer is
> able to have
> > their own instance of orion, running on their own virtual IP address, on
> > their own code base and starting and stopping it on their own running as
> > their own user. Apache allows for this.
> >
> > Tony Wilson
>
>
>
RE: orion on unix
I was going to suggest something similar, which is to start up Orion as
root and then have the process change UID to a non-root user, just like
Apache. But starting the process as root is precisely the thing the
user was trying to avoid.
Throwing Apache in the front end is bound to decrease performance,
versus using Orion's HTTP server. It's certainly the easiest (and a
good portable one -- better than ipchains) solution, but I didn't
mention because it defeats the purpose of using Orion as the web server
for performance.
The security problems with running an app server as root can be dealt
with by using Java policy files. I've written them for JRun in the
past, to restrict access to just the directories, files and ports
necessary. But running an app server is a risky proposition anyway.
Even if it's not running as root it probably has access to all your
businesses' critical data via database access and Web-based business
transactions; people's credit card numbers, etc. These are much more
valuable than the files on your file system.
The real problem expressed by the original email is that regular
restarts of the server are necessary. All Java app servers suffer from
this in one place or another. Eventually, they'll all have to be able
to dynamically reload configuration settings, and any class or
component. Orion is all ready well on the way toward that goal with
dynamic reload of ears, EJB jars, servlets, etc.
A related problem is the distinction between development and production
-- why can't each developer belong to the same group, have them all stop
and start Orion on a port above 1024 for development purposes, and then
deal with this port 80 problem when it's time to move production. In
most organizations I've dealt with, the developers aren't the ones
stopping and starting the production server anyway.
Scott Stirling
West Newton, MA
On 07 Jan 2001 13:44:34 -0800, Tony Wilson wrote:
> The best way to get around this, I think, is to use apache as a front end
> and connect Orion to it.
> There is excellent documentation on how to do this on
> www.orionsupport.com... when it comes up. It think it is one of the
> featured links on the right hand menu.
>
> Apache runs anywhere, pretty much.
>
> What you do is start up apache as root. Apache grabs whatever lower
> numbered ports it needs (including 80) and then changes its user to
> something else (usually 'nobody'). You change the configuration in
> /etc/httpd/conf/httpd.conf (at least on linux) and then you can connect to
> it using standard procedures supported by both apache and orion.
>
> The main benefit of this is that you can run jrun as whomever you would like
> ('orion' is a good username) and you only have to worry about the file
> permissions from that point on.
>
>
> You DEFINITELY don't want to run orion, or any other Servlet Container as
> root. The main reason is security. One of your developers could very
> easily write a piece of code that would wipe out the entire hard drive, or
> worse... and if anyone was able to hack in... all they would need to do is
> write up a jsp file, and they have all the access they want.
>
> Anyway. The apache thing works for us. We are able to do a lot of things
> with this. One example is Virtual hosting. Each developer is able to have
> their own instance of orion, running on their own virtual IP address, on
> their own code base and starting and stopping it on their own running as
> their own user. Apache allows for this.
>
> Tony Wilson
Re: orion on unix
On 07 Jan 2001 21:23:02 +0100, Nils Frohberg wrote: > Yes, but sudo will still run orion with UID 0. This will not improve security. Then >you might as well make a group called 'orion', and put all the users that need access >to orion into this group. Change the dir/file perms so that it is read/writable for >these users. > > If you try to get orion to run non-root because of security, follow the example on >orionsupport. > > --nils The issue was being able to have many users stop and start Orion on port 80 frequently, not access to files. For restricting access to files and other resources from Orion, I think the Java solution would be customized Java policy files, but those are tricky to get right. sudo is a straightforward solution to the problem, which will work on any UNIX platform that can get or build a copy of sudo (which is any). Scott > > Scott M. Stirling([EMAIL PROTECTED])@Sun, Jan 07, 2001 at 01:49:15PM -0500: > > I think there is a better solution than using ipchains (which I'm not > > sure is supported anywhere but on Linux, and is bound to incurr some > > overhead, though I'm not sure if it would be significant), or at least > > an alternative. > > > > Install sudo if you haven't already. You have to configure sudo with > > the names/groups of users and their permissions. What sudo does is > > allow non-root users to execute super user commands and temporarily > > attain super user privileges for the purpose of executing commands. You > > can have users enter a password to use sudo, or you can configure sudo > > to allow users/groups to use it without a password. In any case, make > > sure the actual root password and the sudo password are different, that > > way no one needs to know the root password except root. To use sudo, > > once installed, you just prefix sudo to any command in order to use it: > > > > sudo reboot > > sudo java -jar orion.jar > > etc. > > > > http://www.courtesan.com/sudo/
RE: orion on unix
The best way to get around this, I think, is to use apache as a front end
and connect Orion to it.
There is excellent documentation on how to do this on
www.orionsupport.com... when it comes up. It think it is one of the
featured links on the right hand menu.
Apache runs anywhere, pretty much.
What you do is start up apache as root. Apache grabs whatever lower
numbered ports it needs (including 80) and then changes its user to
something else (usually 'nobody'). You change the configuration in
/etc/httpd/conf/httpd.conf (at least on linux) and then you can connect to
it using standard procedures supported by both apache and orion.
The main benefit of this is that you can run jrun as whomever you would like
('orion' is a good username) and you only have to worry about the file
permissions from that point on.
You DEFINITELY don't want to run orion, or any other Servlet Container as
root. The main reason is security. One of your developers could very
easily write a piece of code that would wipe out the entire hard drive, or
worse... and if anyone was able to hack in... all they would need to do is
write up a jsp file, and they have all the access they want.
Anyway. The apache thing works for us. We are able to do a lot of things
with this. One example is Virtual hosting. Each developer is able to have
their own instance of orion, running on their own virtual IP address, on
their own code base and starting and stopping it on their own running as
their own user. Apache allows for this.
Tony Wilson
-Original Message-
From: Heng Chee, Lee - SG [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 07, 2001 12:54 AM
To: Orion-Interest
Subject:orion on unix
Hi,
I used to run orion on NT machine and now I have to deploy
it on a Sun Sparc
Solaris machine.
Honestly, my knowledge on unix system admin is very limited.
Ok, now I have this problem:
I have untar the orion archieve to a folder called orion,
this folder and
all the files and subfolders under it are belongs to a user
name 'orion',
the group access permission for this folder (and all it's
files) are also
called 'orion'. When I log in to unix as user 'orion' and
try to start up
the app server by typing java -jar orion.jar, I get a
message "Error
starting HTTP-Server : Permission denied". I can only
startup orion if I
log in as root user. This is not acceptable because I can't
let everyone to
have root access just for starting up the orion server.(Our
project still in
the development phase so we need to start and stop the
server quite often)
I am puzzle with this error because I have already set the
owner of all the
files under orion folder to be 'orion', and orion app server
is using it's
own http-server internally so it shouldn't has any
permission problem.
I think that orion app server might try to access some of
the unix system
file which must have root access, if this is the case can
someone tell me
which file it it?
Or is there any alternative work around for this problem?
Thanks and best regards
Lee
Re: orion on unix
Are you trying to start orion on port 80? In UNIX-based systems ports 1-1024 are called "privilaged ports" and can only be bound to as user root. Try changing the port to 8080 or something else above 1024 in ~/config/default-web-site.xml. Now you are going to tell me that it has to be bound to port 80 and you really don't want to run it as user root for obvious security reasons. This discussion belongs to the "how to start orion without being root," of which there are many solutions that can be found by searching through this list archive. cheers, sach On Sun, 7 Jan 2001, Heng Chee, Lee - SG wrote: > Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > Solaris machine. > Honestly, my knowledge on unix system admin is very limited. > Ok, now I have this problem: > I have untar the orion archieve to a folder called orion, this folder and > all the files and subfolders under it are belongs to a user name 'orion', > the group access permission for this folder (and all it's files) are also > called 'orion'. When I log in to unix as user 'orion' and try to start up > the app server by typing java -jar orion.jar, I get a message "Error > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to > have root access just for starting up the orion server.(Our project still in > the development phase so we need to start and stop the server quite often) > > I am puzzle with this error because I have already set the owner of all the > files under orion folder to be 'orion', and orion app server is using it's > own http-server internally so it shouldn't has any permission problem. > I think that orion app server might try to access some of the unix system > file which must have root access, if this is the case can someone tell me > which file it it? > Or is there any alternative work around for this problem? > > > > > > Thanks and best regards > Lee > > > > >
RE: orion on unix
For whats worth it: in a previous thread someone mentioned the ipchains equivalent for Solaris. Ipchains does Network Address Translation. My bet is that the overhead is minimal (as is likely to be with ssh). Sudo is an option, I guess. I've never used the tools. NAT does give you more options to fine tune your security, but requires probably more knowledge and skills then ssh and sudo. On Sunday, January 07, 2001 7:36 PM, Ronald Hatcher [SMTP:[EMAIL PROTECTED]] wrote: > Since Solaris doesn't have ipchains, you may have better luck using ssh port > forwarding. something like ssh -L80:nnn.nnn.nnn.nnn:8080 orion@localhost > > Ron Hatcher > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Christian > Billen > Sent: 07 January 2001 16:20 > To: Orion-Interest > Subject: RE: orion on unix > > > You could run the following command in your script as root: > ipchains -A input --destination-port 80 -p tcp -j REDIRECT 10080 > Then su to the orion user and start orion on a port > 1024 as non root, > there is an article on orionsupport.com about this but it's down at the > moment. > > Christian Billen > > -Original Message- > From: Heng Chee, Lee - SG [SMTP:[EMAIL PROTECTED]] > Sent: Sunday, January 07, 2001 2:54 AM > To: Orion-Interest > Subject: orion on unix > > Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun > Sparc > Solaris machine. > Honestly, my knowledge on unix system admin is very limited. > Ok, now I have this problem: > I have untar the orion archieve to a folder called orion, this folder and > all the files and subfolders under it are belongs to a user name 'orion', > the group access permission for this folder (and all it's files) are also > called 'orion'. When I log in to unix as user 'orion' and try to start up > the app server by typing java -jar orion.jar, I get a message "Error > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to > have root access just for starting up the orion server.(Our project still > in > the development phase so we need to start and stop the server quite often) > > I am puzzle with this error because I have already set the owner of all the > files under orion folder to be 'orion', and orion app server is using it's > own http-server internally so it shouldn't has any permission problem. > I think that orion app server might try to access some of the unix system > file which must have root access, if this is the case can someone tell me > which file it it? > Or is there any alternative work around for this problem? > > > > > > Thanks and best regards > Lee > > > > > > >
Re: orion on unix
Yes, but sudo will still run orion with UID 0. This will not improve security. Then you might as well make a group called 'orion', and put all the users that need access to orion into this group. Change the dir/file perms so that it is read/writable for these users. If you try to get orion to run non-root because of security, follow the example on orionsupport. --nils Scott M. Stirling([EMAIL PROTECTED])@Sun, Jan 07, 2001 at 01:49:15PM -0500: > I think there is a better solution than using ipchains (which I'm not > sure is supported anywhere but on Linux, and is bound to incurr some > overhead, though I'm not sure if it would be significant), or at least > an alternative. > > Install sudo if you haven't already. You have to configure sudo with > the names/groups of users and their permissions. What sudo does is > allow non-root users to execute super user commands and temporarily > attain super user privileges for the purpose of executing commands. You > can have users enter a password to use sudo, or you can configure sudo > to allow users/groups to use it without a password. In any case, make > sure the actual root password and the sudo password are different, that > way no one needs to know the root password except root. To use sudo, > once installed, you just prefix sudo to any command in order to use it: > > sudo reboot > sudo java -jar orion.jar > etc. > > http://www.courtesan.com/sudo/ > > > On 07 Jan 2001 16:54:01 +0800, Heng Chee, Lee - SG wrote: > > Hi, > > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > > Solaris machine. > > Honestly, my knowledge on unix system admin is very limited. > > Ok, now I have this problem: > > I have untar the orion archieve to a folder called orion, this folder and > > all the files and subfolders under it are belongs to a user name 'orion', > > the group access permission for this folder (and all it's files) are also > > called 'orion'. When I log in to unix as user 'orion' and try to start up > > the app server by typing java -jar orion.jar, I get a message "Error > > starting HTTP-Server : Permission denied". I can only startup orion if I > > log in as root user. This is not acceptable because I can't let everyone to > > have root access just for starting up the orion server.(Our project still in > > the development phase so we need to start and stop the server quite often) > > > > I am puzzle with this error because I have already set the owner of all the > > files under orion folder to be 'orion', and orion app server is using it's > > own http-server internally so it shouldn't has any permission problem. > > I think that orion app server might try to access some of the unix system > > file which must have root access, if this is the case can someone tell me > > which file it it? > > Or is there any alternative work around for this problem? > > > > > > > > > > > > Thanks and best regards > > Lee > > -- > Scott Stirling > West Newton, MA >
Re: orion on unix
I think there is a better solution than using ipchains (which I'm not sure is supported anywhere but on Linux, and is bound to incurr some overhead, though I'm not sure if it would be significant), or at least an alternative. Install sudo if you haven't already. You have to configure sudo with the names/groups of users and their permissions. What sudo does is allow non-root users to execute super user commands and temporarily attain super user privileges for the purpose of executing commands. You can have users enter a password to use sudo, or you can configure sudo to allow users/groups to use it without a password. In any case, make sure the actual root password and the sudo password are different, that way no one needs to know the root password except root. To use sudo, once installed, you just prefix sudo to any command in order to use it: sudo reboot sudo java -jar orion.jar etc. http://www.courtesan.com/sudo/ On 07 Jan 2001 16:54:01 +0800, Heng Chee, Lee - SG wrote: > Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > Solaris machine. > Honestly, my knowledge on unix system admin is very limited. > Ok, now I have this problem: > I have untar the orion archieve to a folder called orion, this folder and > all the files and subfolders under it are belongs to a user name 'orion', > the group access permission for this folder (and all it's files) are also > called 'orion'. When I log in to unix as user 'orion' and try to start up > the app server by typing java -jar orion.jar, I get a message "Error > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to > have root access just for starting up the orion server.(Our project still in > the development phase so we need to start and stop the server quite often) > > I am puzzle with this error because I have already set the owner of all the > files under orion folder to be 'orion', and orion app server is using it's > own http-server internally so it shouldn't has any permission problem. > I think that orion app server might try to access some of the unix system > file which must have root access, if this is the case can someone tell me > which file it it? > Or is there any alternative work around for this problem? > > > > > > Thanks and best regards > Lee -- Scott Stirling West Newton, MA
RE: orion on unix
Since Solaris doesn't have ipchains, you may have better luck using ssh port forwarding. something like ssh -L80:nnn.nnn.nnn.nnn:8080 orion@localhost Ron Hatcher -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christian Billen Sent: 07 January 2001 16:20 To: Orion-Interest Subject: RE: orion on unix You could run the following command in your script as root: ipchains -A input --destination-port 80 -p tcp -j REDIRECT 10080 Then su to the orion user and start orion on a port > 1024 as non root, there is an article on orionsupport.com about this but it's down at the moment. Christian Billen -Original Message- From: Heng Chee, Lee - SG [SMTP:[EMAIL PROTECTED]] Sent: Sunday, January 07, 2001 2:54 AM To: Orion-Interest Subject:orion on unix Hi, I used to run orion on NT machine and now I have to deploy it on a Sun Sparc Solaris machine. Honestly, my knowledge on unix system admin is very limited. Ok, now I have this problem: I have untar the orion archieve to a folder called orion, this folder and all the files and subfolders under it are belongs to a user name 'orion', the group access permission for this folder (and all it's files) are also called 'orion'. When I log in to unix as user 'orion' and try to start up the app server by typing java -jar orion.jar, I get a message "Error starting HTTP-Server : Permission denied". I can only startup orion if I log in as root user. This is not acceptable because I can't let everyone to have root access just for starting up the orion server.(Our project still in the development phase so we need to start and stop the server quite often) I am puzzle with this error because I have already set the owner of all the files under orion folder to be 'orion', and orion app server is using it's own http-server internally so it shouldn't has any permission problem. I think that orion app server might try to access some of the unix system file which must have root access, if this is the case can someone tell me which file it it? Or is there any alternative work around for this problem? Thanks and best regards Lee
RE: orion on unix
You could run the following command in your script as root: ipchains -A input --destination-port 80 -p tcp -j REDIRECT 10080 Then su to the orion user and start orion on a port > 1024 as non root, there is an article on orionsupport.com about this but it's down at the moment. Christian Billen -Original Message- From: Heng Chee, Lee - SG [SMTP:[EMAIL PROTECTED]] Sent: Sunday, January 07, 2001 2:54 AM To: Orion-Interest Subject:orion on unix Hi, I used to run orion on NT machine and now I have to deploy it on a Sun Sparc Solaris machine. Honestly, my knowledge on unix system admin is very limited. Ok, now I have this problem: I have untar the orion archieve to a folder called orion, this folder and all the files and subfolders under it are belongs to a user name 'orion', the group access permission for this folder (and all it's files) are also called 'orion'. When I log in to unix as user 'orion' and try to start up the app server by typing java -jar orion.jar, I get a message "Error starting HTTP-Server : Permission denied". I can only startup orion if I log in as root user. This is not acceptable because I can't let everyone to have root access just for starting up the orion server.(Our project still in the development phase so we need to start and stop the server quite often) I am puzzle with this error because I have already set the owner of all the files under orion folder to be 'orion', and orion app server is using it's own http-server internally so it shouldn't has any permission problem. I think that orion app server might try to access some of the unix system file which must have root access, if this is the case can someone tell me which file it it? Or is there any alternative work around for this problem? Thanks and best regards Lee
Re: orion on unix
There is a util available on Linux called "ipchains" that can redirect all requests from port 80 to 8080. After you set it up with root user, u can run Orion as non-root on port 8080 and without clients even noticing it. Find out if there is such a tool on Unix that u are running. Never run Orion as ROOT. Even Orion team says that there might be some security leaks if running Orion as root. There is tutorial that i've read @ www.orionsupport.com called "Running Orion on Linux" that has explanation about users and everything. Take a look maybe it will help. And ofcourse same website has tutorial named "Running Orion on Unix" maybe it has instructions that u need. I hope this helps -Anton - Original Message - From: "Ronald Hatcher" <[EMAIL PROTECTED]> To: "Orion-Interest" <[EMAIL PROTECTED]> Sent: Sunday, January 07, 2001 6:15 AM Subject: RE: orion on unix > This is because the default http port 80 is privliged. If you don't want to > run as root, reconfigure Orion to run on a non-privliged port such as 8080 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Heng Chee, Lee > - SG > Sent: 07 January 2001 08:54 > To: Orion-Interest > Subject: orion on unix > > > Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > Solaris machine. > Honestly, my knowledge on unix system admin is very limited. > Ok, now I have this problem: > I have untar the orion archieve to a folder called orion, this folder and > all the files and subfolders under it are belongs to a user name 'orion', > the group access permission for this folder (and all it's files) are also > called 'orion'. When I log in to unix as user 'orion' and try to start up > the app server by typing java -jar orion.jar, I get a message "Error > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to > have root access just for starting up the orion server.(Our project still in > the development phase so we need to start and stop the server quite often) > > I am puzzle with this error because I have already set the owner of all the > files under orion folder to be 'orion', and orion app server is using it's > own http-server internally so it shouldn't has any permission problem. > I think that orion app server might try to access some of the unix system > file which must have root access, if this is the case can someone tell me > which file it it? > Or is there any alternative work around for this problem? > > > > > > Thanks and best regards > Lee > > > > > > > >
RE: orion on unix
This is because the default http port 80 is privliged. If you don't want to run as root, reconfigure Orion to run on a non-privliged port such as 8080 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Heng Chee, Lee - SG Sent: 07 January 2001 08:54 To: Orion-Interest Subject: orion on unix Hi, I used to run orion on NT machine and now I have to deploy it on a Sun Sparc Solaris machine. Honestly, my knowledge on unix system admin is very limited. Ok, now I have this problem: I have untar the orion archieve to a folder called orion, this folder and all the files and subfolders under it are belongs to a user name 'orion', the group access permission for this folder (and all it's files) are also called 'orion'. When I log in to unix as user 'orion' and try to start up the app server by typing java -jar orion.jar, I get a message "Error starting HTTP-Server : Permission denied". I can only startup orion if I log in as root user. This is not acceptable because I can't let everyone to have root access just for starting up the orion server.(Our project still in the development phase so we need to start and stop the server quite often) I am puzzle with this error because I have already set the owner of all the files under orion folder to be 'orion', and orion app server is using it's own http-server internally so it shouldn't has any permission problem. I think that orion app server might try to access some of the unix system file which must have root access, if this is the case can someone tell me which file it it? Or is there any alternative work around for this problem? Thanks and best regards Lee
Re: orion on unix
> Hi, Hi, > I used to run orion on NT machine and now I have to deploy it on a Sun Sparc > Solaris machine. [...] > starting HTTP-Server : Permission denied". I can only startup orion if I > log in as root user. This is not acceptable because I can't let everyone to [...] > Or is there any alternative work around for this problem? On a UNIX (or derivate) systems, only root can bind to the lower 1024 ports, this means you cannot start orion on the default HTTP port 80. There is an attribute of the tag called "port" in the default-web-site.xml, typically the line should look like: Which will cause the webserver to bind to the 8080 port. You can access this page from a browser with the following url: http://:8080/ hth, Robert.
