Re: Tomcat as 'root' insecure? (again)
To address this a little further. Think about this, if a new hole is found that allow the attacker to put code on your machine, then think about all the possibilities of what that code could be programmed to do. Write files, read file, delete files or even run native code, just to name a few. As root there would be no limit to where the code could access, but as a lesser user the damage would be contained to just the users environment/permissions. As for the sandbox, I am inclined to disagree as this in itself does not prevent the java code from accessing things outside the jvm (see above). It does prevent jvm crashes and most problems from escaping the sandbox. Also don't get the applet sandbox, running in a clients browser, confused with the server. It does have restrictions on what the java code can do and access. So bottom line is why take a chance. Doug www.parsonstechnical.com - Original Message - From: David Smith [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 4:01 PM Subject: Re: Tomcat as 'root' insecure? (again) Let's see if I can offer a direct answer. I don't believe tomcat is insecure, but there are always those holes that haven't been found yet and a chance that the bad guys will find them first. The best practice approach to system security is to run all processes (tomcat included) at the minimum privilege level necessary to function. That way if an as yet unknown vulnerability is discovered and the attacker achieves the same privilege level as the service, he/she still shouldn't be able to get very far. The only benefit I've ever seen to running as root is the ability to bind to privilege ports below 1024 (web port 80 is one of them). In my opinion, not a big enough gain to warrant root privilege on the tomcat process. I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. --David Barnet Wagman wrote: This issue has been (tangentially) addressed in a number of threads on several lists, but the answers I've found are not exactly consistent. I'd appreciate this list's opinion. So, is it insecure to run standalone Tomcat as a root process on a Linux system? By 'running Tomcat as a root process', I mean running the startup.sh script while logged in as the su (presumably with nohup). Some people seem to think that running a server as a root process in inherently insecure. But I've also seen it argued that because standalone Tomcat runs in Java sandbox, it is very secure independent of how its running. This makes sense to me, but I'm not very knowledable about this sort of things. Thanks, bw PS The purpose of running as root is, of course, so that Tomcat can listen to ports 80 and 443. I know that there are other ways of accomplishing this (using netfilter, etc.) but I'd prefer to avoid them if possible. I need to run Tomcat in an evironment that I don't know very well (a vps under redhat) - so the less I have to screw around with the operating system the better. Setting Tomcat to listent to port 80, etc. is simple and portable, which is a big advantage for me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! rj May 26, 2004 10:19:07 AM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.net.BindException: Permission denied:80 at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:258) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:275) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:177) at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1500) at org.apache.catalina.core.StandardService.start(StandardService.java:485) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: Protocol handler start failed: java.net.BindException: Permission denied:80 at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1502) at org.apache.catalina.core.StandardService.start(StandardService.java:485) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 5160 ms At 04:01 PM 5/25/2004, David Smith wrote: I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
Do you still have Apache running on Port 80? On Wednesday 26 May 2004 10:30 am, RJ wrote: OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! rj May 26, 2004 10:19:07 AM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.net.BindException: Permission denied:80 at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.jav a:258) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.ja va:275) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:177) at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1500) at org.apache.catalina.core.StandardService.start(StandardService.java:485) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: Protocol handler start failed: java.net.BindException: Permission denied:80 at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1502) at org.apache.catalina.core.StandardService.start(StandardService.java:485) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 5160 ms At 04:01 PM 5/25/2004, David Smith wrote: I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Souther F.W. Davison Company, Inc. This e-mail message, and any accompanying documents, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient, please contact our office by email or by telephone at (508) 747-7261 and immediately destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat as 'root' insecure? (again)
Hi, You're better off grabbing the Tomcat5.sh script from $CATALINA_HOME/bin/jsvc-src/native (you need to unpack jsvc.tar.gz but I think you're already done that). Modify the couple of lines at the top to reflect your proper JAVA_HOME and CATALINA_HOME, and you should be all set. Yoav Shapira Millennium Research Informatics -Original Message- From: RJ [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 10:31 AM To: Tomcat Users List Subject: Re: Tomcat as 'root' insecure? (again) OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! rj May 26, 2004 10:19:07 AM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.net.BindException: Permission denied:80 at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint .jav a:258) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoin t.ja va:275) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:177) at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 00) at org.apache.catalina.core.StandardService.start(StandardService.java:485 ) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java: 218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: Protocol handler start failed: java.net.BindException: Permission denied:80 at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 02) at org.apache.catalina.core.StandardService.start(StandardService.java:485 ) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java: 218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 5160 ms At 04:01 PM 5/25/2004, David Smith wrote: I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you
Re: Tomcat as 'root' insecure? (again)
On Wed, May 26, 2004 at 10:30:59AM -0400, RJ wrote: : So, I try to use the jsvc approach, telling it to go to : the nonprivileged tomcat user by (from the tomcat site): : [snip] : However, that chokes as follows, as it apparently can't use port : 80 as I'm wanting it to. :SEVERE: Error starting endpoint :java.net.BindException: Permission denied:80 Stupid question: are you running jsvc as root? To bind to port 80, you'll have to just that. That doesn't mean Tomcat will run as root; jsvc will use its root privs to bind to the port, then switch over to the Tomcat user. Someone else has already mentioned that Apache (or something else) may still be running on that port. As root, you can check that with lsof -i :80 -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
David Smith wrote: Let's see if I can offer a direct answer. I don't believe tomcat is insecure, but there are always those holes that haven't been found yet and a chance that the bad guys will find them first. The best practice approach to system security is to run all processes (tomcat included) at the minimum privilege level necessary to function. That way if an as yet unknown vulnerability is discovered and the attacker achieves the same privilege level as the service, he/she still shouldn't be able to get very far. The only benefit I've ever seen to running as root is the ability to bind to privilege ports below 1024 (web port 80 is one of them). In my opinion, not a big enough gain to warrant root privilege on the tomcat process. Good point - I'm convinced. I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. I wasn't aware of the jsvc, which answers my needs very well. Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
Okay, I suppose you all are right saying that it's better not to run as root. But does the same apply to Windows? We're using Tomcat 4.1.24 on Windows 2000 Server, and up till now we've always run Tomcat as root. I don't see a jvsc-script or directory. Do I need to upgrade to TC5 to be able to use the script? Roger Barnet Wagman wrote: David Smith wrote: Let's see if I can offer a direct answer. I don't believe tomcat is insecure, but there are always those holes that haven't been found yet and a chance that the bad guys will find them first. The best practice approach to system security is to run all processes (tomcat included) at the minimum privilege level necessary to function. That way if an as yet unknown vulnerability is discovered and the attacker achieves the same privilege level as the service, he/she still shouldn't be able to get very far. The only benefit I've ever seen to running as root is the ability to bind to privilege ports below 1024 (web port 80 is one of them). In my opinion, not a big enough gain to warrant root privilege on the tomcat process. Good point - I'm convinced. I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
Roger wrote: Okay, I suppose you all are right saying that it's better not to run as root. But does the same apply to Windows? We're using Tomcat 4.1.24 on Windows 2000 Server, and up till now we've always run Tomcat as root. I don't see a jvsc-script or directory. Do I need to upgrade to TC5 to be able to use the script? Roger I believe that the Win version is called procrun. (jsvc and procrun are part of Apache's commons daemon project.) See http://jakarta.apache.org/commons/daemon/index.html bw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
Windows is an animal of an entirely different species. The closest analogy to 'root' for Windows is 'administrator', but services in Windows (as far as I understand) usually run as SYSTEM. I could be sooo wrong on that and I'm really a Linux person. Hopefully someone who has experience securing Windows (insert favorite jab at Microsoft here) can chime in on this. --David Roger wrote: Okay, I suppose you all are right saying that it's better not to run as root. But does the same apply to Windows? We're using Tomcat 4.1.24 on Windows 2000 Server, and up till now we've always run Tomcat as root. I don't see a jvsc-script or directory. Do I need to upgrade to TC5 to be able to use the script? Roger Barnet Wagman wrote: David Smith wrote: Let's see if I can offer a direct answer. I don't believe tomcat is insecure, but there are always those holes that haven't been found yet and a chance that the bad guys will find them first. The best practice approach to system security is to run all processes (tomcat included) at the minimum privilege level necessary to function. That way if an as yet unknown vulnerability is discovered and the attacker achieves the same privilege level as the service, he/she still shouldn't be able to get very far. The only benefit I've ever seen to running as root is the ability to bind to privilege ports below 1024 (web port 80 is one of them). In my opinion, not a big enough gain to warrant root privilege on the tomcat process. Good point - I'm convinced. I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat as 'root' insecure? (again)
Yoav et al: Thanks a million! When editing up the tomcat5.sh script, I also needed to fix the DAEMON_HOME and the reference to it in the 'start' method to go to the right path (it unpacked to something other than the expected /src/native/unix/jsvc ). And chown all the files to my tomcat user. Now if I can just figure out how to get usage logs that are roughly comparable to what Apache put out, I'll be set! (and the issue of SSL, which seems to have gotten a lot of discussion lately). Using tomcat on 80 instead of fooling with that always-painful task of linking to Apache will hopefully make support over the long term a lot easier proposition than trying to keep up with that always-moving target that the connectors pose... Thanks again. rj At 10:35 AM 5/26/2004, Shapira, Yoav wrote: Hi, You're better off grabbing the Tomcat5.sh script from $CATALINA_HOME/bin/jsvc-src/native (you need to unpack jsvc.tar.gz but I think you're already done that). Modify the couple of lines at the top to reflect your proper JAVA_HOME and CATALINA_HOME, and you should be all set. Yoav Shapira Millennium Research Informatics -Original Message- From: RJ [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 10:31 AM To: Tomcat Users List Subject: Re: Tomcat as 'root' insecure? (again) OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! rj May 26, 2004 10:19:07 AM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.net.BindException: Permission denied:80 at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint .jav a:258) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoin t.ja va:275) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:177) at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 00) at org.apache.catalina.core.StandardService.start(StandardService.java:485 ) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java: 218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: Protocol handler start failed: java.net.BindException: Permission denied:80 at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 02) at org.apache.catalina.core.StandardService.start(StandardService.java:485 ) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java: 218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 5160 ms At 04:01 PM 5/25/2004, David Smith wrote
RE: Tomcat as 'root' insecure? (again)
Hi, To get access logs (in the Common Log File format, same as Apache and nearly all HTTP servers), comment in the AccessLogValve. It's commented out by default in server.xml. Read up on its configuration if you want some special logging pattern, as it's quite flexible. For SSL, just start a separate mailing list threads with your problems if you have any. Yoav Shapira Millennium Research Informatics -Original Message- From: RJ [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 12:12 PM To: Tomcat Users List Subject: RE: Tomcat as 'root' insecure? (again) Yoav et al: Thanks a million! When editing up the tomcat5.sh script, I also needed to fix the DAEMON_HOME and the reference to it in the 'start' method to go to the right path (it unpacked to something other than the expected /src/native/unix/jsvc ). And chown all the files to my tomcat user. Now if I can just figure out how to get usage logs that are roughly comparable to what Apache put out, I'll be set! (and the issue of SSL, which seems to have gotten a lot of discussion lately). Using tomcat on 80 instead of fooling with that always-painful task of linking to Apache will hopefully make support over the long term a lot easier proposition than trying to keep up with that always-moving target that the connectors pose... Thanks again. rj At 10:35 AM 5/26/2004, Shapira, Yoav wrote: Hi, You're better off grabbing the Tomcat5.sh script from $CATALINA_HOME/bin/jsvc-src/native (you need to unpack jsvc.tar.gz but I think you're already done that). Modify the couple of lines at the top to reflect your proper JAVA_HOME and CATALINA_HOME, and you should be all set. Yoav Shapira Millennium Research Informatics -Original Message- From: RJ [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 10:31 AM To: Tomcat Users List Subject: Re: Tomcat as 'root' insecure? (again) OK, I've been running tomcat behind apache for ages, and now I want to go with Yoav's oft-stated advice to just use tomcat (5.0.24) alone. And I want it on port 80. So, I try to use the jsvc approach, telling it to go to the nonprivileged tomcat user by (from the tomcat site): ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \ -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ org.apache.catalina.startup.Bootstrap -user tomcat However, that chokes as follows, as it apparently can't use port 80 as I'm wanting it to. I'm sure this must be trivial, but all help would be appreciated! rj May 26, 2004 10:19:07 AM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.net.BindException: Permission denied:80 at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint .jav a:258) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoin t.ja va:275) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:177) at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 00) at org.apache.catalina.core.StandardService.start(StandardService.java:485 ) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java: 218) May 26, 2004 10:19:07 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: Protocol handler start failed: java.net.BindException: Permission denied:80 at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:15 02) at org.apache.catalina.core.StandardService.start(StandardService.java:485 ) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2298) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja va:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImp l.java:25
RE: Tomcat as 'root' insecure? (again)
Hi Okay, I suppose you all are right saying that it's better not to run as root. But does the same apply to Windows? No, on Windows usual users are allowed to bind ports below 1024, which is the only problem for tomcat. Create any user account you want, give it sufficient access rights to tomcats folders. Done. (Maybe you need to give it some read rights for the registry configuration of the service loader. If thats a problem start tomcat using srvany (deprecated!).) [Also, you might need to give that user rights to log on as service and log on locally, but surely no special file oder registry access rights other that those mentioned above.] We're using Tomcat 4.1.24 on Windows 2000 Server, and up till now we've always run Tomcat as root. There is nothing in Windows which equals root. There is NO user, which has any right anywhere. [You could configure this though, but you should not. It is nice for different admins to have private folders, where no other admin can look inside. And a lot more, you know.] I don't see a jvsc-script or directory. Do I need to upgrade to TC5 to be able to use the script? You shouldnot need, afaict. Simply change the service's user. Regards, Steffen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat as 'root' insecure? (again)
Hi, You're not going to a get a simple yes or no answer. Both camps that you cite are right. Why run something as root if you don't have to? Yoav Shapira Millennium Research Informatics -Original Message- From: Barnet Wagman [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 2:30 PM To: Tomcat Users List Subject: Tomcat as 'root' insecure? (again) This issue has been (tangentially) addressed in a number of threads on several lists, but the answers I've found are not exactly consistent. I'd appreciate this list's opinion. So, is it insecure to run standalone Tomcat as a root process on a Linux system? By 'running Tomcat as a root process', I mean running the startup.sh script while logged in as the su (presumably with nohup). Some people seem to think that running a server as a root process in inherently insecure. But I've also seen it argued that because standalone Tomcat runs in Java sandbox, it is very secure independent of how its running. This makes sense to me, but I'm not very knowledable about this sort of things. Thanks, bw PS The purpose of running as root is, of course, so that Tomcat can listen to ports 80 and 443. I know that there are other ways of accomplishing this (using netfilter, etc.) but I'd prefer to avoid them if possible. I need to run Tomcat in an evironment that I don't know very well (a vps under redhat) - so the less I have to screw around with the operating system the better. Setting Tomcat to listent to port 80, etc. is simple and portable, which is a big advantage for me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as 'root' insecure? (again)
Let's see if I can offer a direct answer. I don't believe tomcat is insecure, but there are always those holes that haven't been found yet and a chance that the bad guys will find them first. The best practice approach to system security is to run all processes (tomcat included) at the minimum privilege level necessary to function. That way if an as yet unknown vulnerability is discovered and the attacker achieves the same privilege level as the service, he/she still shouldn't be able to get very far. The only benefit I've ever seen to running as root is the ability to bind to privilege ports below 1024 (web port 80 is one of them). In my opinion, not a big enough gain to warrant root privilege on the tomcat process. I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege. --David Barnet Wagman wrote: This issue has been (tangentially) addressed in a number of threads on several lists, but the answers I've found are not exactly consistent. I'd appreciate this list's opinion. So, is it insecure to run standalone Tomcat as a root process on a Linux system? By 'running Tomcat as a root process', I mean running the startup.sh script while logged in as the su (presumably with nohup). Some people seem to think that running a server as a root process in inherently insecure. But I've also seen it argued that because standalone Tomcat runs in Java sandbox, it is very secure independent of how its running. This makes sense to me, but I'm not very knowledable about this sort of things. Thanks, bw PS The purpose of running as root is, of course, so that Tomcat can listen to ports 80 and 443. I know that there are other ways of accomplishing this (using netfilter, etc.) but I'd prefer to avoid them if possible. I need to run Tomcat in an evironment that I don't know very well (a vps under redhat) - so the less I have to screw around with the operating system the better. Setting Tomcat to listent to port 80, etc. is simple and portable, which is a big advantage for me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]