* Nikola Milutinovic [EMAIL PROTECTED] [1238 08:38]:
Just to clarify things a bit, before I ask for a new feature in Tomcat.
Most security conciencious servers on UNIX (like BIND 9) use this
sequence:
1. Bind to TCP ports
2. Load all dynamic modules, libraries (usually done by the
Craig R. McClanahan wrote:
Unix (and Linux) provide mechanisms to deal with this already, without
changing the root-only restriction for ports 1024.
* There's a system call to change your user id (this is what
Apache itself does to grab port 80 as root and then switch
itself to a
Exactly.
John
-Original Message-
From: Noel J. Bergman [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 2:17 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Personally, one of my goals is to go the other way and stick
tomcat into a
chroot jail, so
, December 06, 2002 6:13 PM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
On Thu, 2002-12-05 at 20:33, Noel J. Bergman wrote:
Access to ports 1024 and minimizing root services is a
well-understood
issue for anyone who ought to be using a *nix system,
having nothing to do
: Why run tomcat as root
Can unix admin configure his OS to let normal app to run port
80? I say
this because Unix is very configurable. Why you have to do
so much coding
just to access port 80, why not just look at it a different way?
--
To unsubscribe, e
in the
kernel.
John
-Original Message-
From: Vy Ho [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 11:12 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Very good point, but what if the administrator him/herself grand this
access to this particular user? Linux
[mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 11:12 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Very good point, but what if the administrator him/herself grand this
access to this particular user? Linux and Unix is all about
flexibility
right
Ho [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 11:51 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Thank you for your comment. However, I think you gave a good
practical
work around for now, when the kernel is not there yet. But that also
means many
to change it for
you, or pay someone to change it for you.
John
-Original Message-
From: Vy Ho [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 11:51 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Thank you for your comment. However, I think you gave a good
to change it for you.
John
-Original Message-
From: Vy Ho [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 11:51 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Thank you for your comment. However, I think you gave a good
practical
work
a great weekend.
John
-Original Message-
From: Vy Ho [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 1:14 PM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Well, assume you're right, then I and many developers have to
live with
this fact then.
I would
I just think if there is something they can do that what they try to
protect would work, and the problem we face would be solved.
I know someone who works on SE Linux, and has published the root password
for anyone to log into his system and try to break it. In that
configuration, even root
Hi,
I you are using Linux and a distribution that groks rpms, just install
the packages provided by jpackage (http://jpackage.zarb.org/) or even
those on jakarta (same maintainer, might be a little bit less
up-to-date). You'll get an hassle-free tomcat-mod_jk-apache solution,
with regular
On Fri, 6 Dec 2002, Vy Ho wrote:
Date: Fri, 06 Dec 2002 13:13:36 -0500 (EST)
From: Vy Ho [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: RE: Why run tomcat as root
Well, assume you're right, then I and many developers
t [EMAIL PROTECTED]
Subject: RE: Why run tomcat as root
Well, assume you're right, then I and many developers have to live with
this fact then.
I would like to make myself clear abit though. Whatever decision they
made over 40 years about limiting the access to port 0-1024, I dont
with respect to security what is the best way to run tomcat on linux? I am
running tomcat3.2.3 with apache1.3.26 and mod_jk
1. Run as root?
2. Run as nobody?
3.Run as other user (eg. tomcat)?
why is running tomcat as a certain user more secure than running it as
others?
If this is the appropriate
Run apache as one id (nobody?)
Run tomcat as another id (tomcat?)
Running as root ... dangerous.
Sanjaya Singharage wrote:
with respect to security what is the best way to run tomcat on linux? I am
running tomcat3.2.3 with apache1.3.26 and mod_jk
1. Run as root?
2. Run as nobody?
3.Run as other
Sanjaya Singharage [EMAIL PROTECTED]
05.12.2002 10:33
Please respond to Tomcat Users List
To: [EMAIL PROTECTED]
cc:
Subject:Why run tomcat as root
with respect to security what is the best way to run tomcat on linux? I am
running tomcat3.2.3
: Why run tomcat as root
The Root account is also preferable beacuse the account and processes
that run under it are considerably better protected than those of a
normal user, provided you have not castrated the Root account security
wise, ie configured it incorrectly. The less secure
Sorry to tear up the message, I forgot to paste this into my first one.
You should also note that if you Run Tomacat as ROOT you may be more
secure against a local user trying to sabotage your Tomcat but you will be
vulnerable to malicious manipulations of your servlets. It is possible for
but how do I do
this to tomcat?
Ralph Einfeldt [EMAIL PROTECTED]
05.12.2002 12:48
Please respond to Tomcat Users List
To: Tomcat Users List [EMAIL PROTECTED]
cc:
Subject:RE: Why run tomcat as root
I don't think that you are right.
To run tomcat
it or is thinking about doing it), and you were running
Tomcat as root, you'd be a sitting duck.
John
-Original Message-
From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 7:34 AM
To: Tomcat Users List
Subject: Re: Why run tomcat as root
Sanjaya
To: Tomcat Users List [EMAIL PROTECTED]
cc:
Subject:RE: Why run tomcat as root
I don't think that you are right.
To run tomcat as root means you have less security than having
more security.
You have to be aware that you open a additional potential
port, but that's off the
scope of this list.
John
-Original Message-
From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 8:17 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
I know, I accidentally posted that message before completing
run tomcat as root
But I have not been able to figure out a way to downgrade the
privileges of the Tomcat process after it has accessed the privileged
resources. I have been told that Apache can donwgrade the
privilege level of processes after they have accessed privleged resources
First of did you read any but my original post? , please read the one I
posted a little later. Hell! for your benifit I will reproduce it here:
quote
Sorry to tear up the message, I forgot to paste this into my first one.
You should also note that if you Run Tomacat as ROOT you may be more
)
-Original Message-
From: Kristján Rúnarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 2:17 PM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
But I have not been able to figure out a way to downgrade the
privileges of the Tomcat process after it has accessed
the
difference.
That should be enough to keep you busy for awhile.
John
-Original Message-
From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 9:24 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
First of did you read any but my
Subject: RE: Why run tomcat as root
But I have not been able to figure out a way to downgrade the
privileges of the Tomcat process after it has accessed the privileged
resources. I have been told that Apache can donwgrade the
privilege level of processes after they have accessed privleged
there
Tim Funk [EMAIL PROTECTED]
05.12.2002 13:24
Please respond to Tomcat Users List
To: Tomcat Users List [EMAIL PROTECTED]
cc:
Subject:Re: Why run tomcat as root
Apache doesn't completely downgrade itself. Apache
.
John
-Original Message-
From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 9:44 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
That is true enough but those sound like workarounds your option #2
suggests that Apache does not have
into Tomcat.
John
-Original Message-
From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 9:44 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
That is true enough but those sound like workarounds your option #2
suggests that Apache does
to Tomcat Users List
To: Tomcat Users List [EMAIL PROTECTED]
cc:
Subject:Re: Why run tomcat as root
Apache doesn't completely downgrade itself. Apache still runs as root.
But only as little code as possible runs as root for apache.
Apache uses root
IMHO this is a case of the Tomcat team being restricted by the
deficiencies of Java, I apologize if I implied that they are incompetent I
did no mean to. The ability have a parent process fork child processes
that have restricted permissions is a pretty fundamental one. You say down
stepping
:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 10:55 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
IMHO this is a case of the Tomcat team being restricted by the
deficiencies of Java, I apologize if I implied that they are
incompetent I
did no mean to. The ability have
-Original Message-
From: Turner, John [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 9:31 AM
To: 'Tomcat Users List'
Subject: RE: Why run tomcat as root
[...]
You can also use a web forwarding or URL cloaking service,
such as the one
at ZoneEdit.com. If you
-Original Message-
From: Kristján Rúnarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 9:44 AM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
That is true enough but those sound like workarounds your option #2
suggests that Apache does not have
to Tomcat Users List
To: Tomcat Users List [EMAIL PROTECTED]
cc:
Subject:Re: Why run tomcat as root
The JVM doesn't fork at all.
The JVM (and therefore tomcat) is one process. The JVM is a virtual
machine with many threads under the same process. Because
Perhaps tomcat-dev would have your answers.
John
-Original Message-
From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 11:48 AM
To: Tomcat Users List
Subject: Re: Why run tomcat as root
I don't know of a class in java (and its appropriate
Tomcat is just a java class. (really a set of classes) It is like any
other java application.
If tomcat downgrades itself - all open sockets should be allowed to be
continued to be used by it. Weblogic does this (in my observation of
using it).
Apache runs the way you describe below. (from my
as the
proxy (iptables)
-Original Message-
From: Price, Erik [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 5:19 PM
To: Kristján Rúnarsson; Tomcat Users List
Subject: RE: Why run tomcat as root
Could not a solution be implemented like the Apache one,
where the work
On Thursday 05 December 2002 14:24, Tim Funk wrote:
With tomcat - the there is only one process, the JVM. It is possible to
bind to port 80 as root to listen on the port, then switch the entire
process to another (less priviledged) user id. To do this - you need
class which can call the native
On Thursday 05 December 2002 15:25, maninder s batth wrote:
running apache just for port mapping would be an overkill. does any one
foresee a potential problem
with port-mapper solution ?
Yep, a big problem. All traffic is from the port-mapper server, as far as
Tomcat knows.
I tried this and
On Thursday 05 December 2002 15:23, Kristján Rúnarsson wrote:
This leaves me with the option of running apache as a normal user and
setting up some sort of a redirect service that runs as root which is a
pretty unelegant solution compared to a tomcat that suid's it self down
after accessing
Can unix admin configure his OS to let normal app to run port 80? I say
this because Unix is very configurable. Why you have to do so much coding
just to access port 80, why not just look at it a different way?
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands,
there
for good reason.
John
-Original Message-
From: Vy Ho [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 3:48 PM
To: Tomcat Users List
Subject: RE: Why run tomcat as root
Can unix admin configure his OS to let normal app to run port
80? I say
this because Unix
IMHO this is a case of the Tomcat team being restricted by the
deficiencies of Java
Tomcat and Java work just fine. There are plenty of ways to NOT run it as
root. Ralph and Cees gave you at least three, one of which you could do
trvially within 30 seconds.
When started my tomcat server and
On Thu, 2002-12-05 at 20:33, Noel J. Bergman wrote:
Access to ports 1024 and minimizing root services is a well-understood
issue for anyone who ought to be using a *nix system, having nothing to do
with any specific server application.
Restrictions on ports 1024 and minimizing services
Restrictions on ports 1024 and minimizing services running as root are
contradictory aspects of the Unix security model.
You want to minimize the trusted code base, and you want to assure that
public services ( 1024) cannot be spoofed. You might want the port owner
to make sure that the
49 matches
Mail list logo
