"Craig R. McClanahan" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > On Fri, 6 Dec 2002, Vy Ho wrote: > > > Date: Fri, 06 Dec 2002 13:13:36 -0500 (EST) > > From: Vy Ho <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > To: Tomcat Users List <[EMAIL PROTECTED]> > > Subject: RE: Why run tomcat as root > > > > > > > > Well, assume you're right, then I and many developers have to live with > > this fact then. > > > > I would like to make myself clear abit though. Whatever decision they > > made over 40 years about limiting the access to port 0-1024, I dont > > question, or ask to change, or agree upon or disagree with. I just think > > if there is something they can do that what they try to protect would > > work, and the problem we face would be solved. See the number of response > > to this topic obvious shows that there's some > > concern/issues/misunderstanding/inconvinience. Whatever you call it. > > > > Unix (and Linux) provide mechanisms to deal with this already, without > changing the root-only restriction for ports < 1024. > > * There's a system call to change your user id (this is what > Apache itself does to grab port 80 as root and then switch > itself to a non-privileged user before actually doing anything > else.) Doing something like this for Tomcat is technically > feasible, but will require a bit of native code and some tweaks > to the way that the TCP connectors are started up. >
And, I believe that the JavaService code that ships with 4.1.x already does this (even on *nix boxes). I don't use it myself, since I only run Tomcat behind Apache (in which case it only needs access to the non-privileged port 8009). > * There's utilities like ipchains that can automatically forward > port 80 connections to some other port (such as one that's not > privileged), and optionally implement firewall type access controls > as well. > > * You can create a "chroot" environment that limits the scope of > things the process can actually get to, even though it thinks it > is running as root. > > There's no need to change the root-only restriction to solve this > "problem". Adequate mechanisms are already there to accomplish what you > need. Use them. > > > My feeling as a developer is that kernel develoeprs would make life > > better, whether it's a matter of convinient (without sacrafice security or > > whatever else). Ofcourse, there's other priority that make no body care > > to this about this issues. But that is another story. I think this was > > asked enough to have a good talk about. I also thought that this is a > > relative easy to change in the kernel (for the kernel dev. expert). I > > also don't think it would be a security problem or backward compatable > > problem (since the admin must allow some users to use port 80 for it to > > work). > > > > About the work around terminology, whatever you call it, and I may use it > > wrongly, but I think it's a hassle to do other stuff just for this little > > thing. You may think it's not a hassle, it's nothing you maysay. Well, > > it's users' votes. When there's enough on one side or another, there's > > maybe better reason to address it oneway or another (such as do nothing). > > > > About philosophy, and 40 years of thought. I think you have a good point > > on the time and all that. But time change. Things now are different than > > before. So, sometimes, changing is not that bad, and people/developers do > > that all the time. That's how Linux improve every day. > > > > Change should only happen when existing solutions don't work any more. > Change for change's sake is a waste of time. > > That is not the case for this scenario, so I'd be amazed if your proposal > ever gained any traction. Of course, it's really the Unix and Linux (and > Windows, because it follows a similar-but-different pattern) developers > that you'd need to make your arguments to. There's nothing that Tomcat, > or Tomcat developers, can do to change this. > > Therefore, I suggest anyone interested take any more discussion of whether > operating systems should be changed someplace else -- it's off topic for > TOMCAT-USER. If you want Tomcat to support running directly on port 80 > without being root, put your enhancement request in to the bug tracking > system: > > http://nagoya.apache.org/bugzilla/ > > Better yet, attach patches that make the required changes to Tomcat to > implement this idea. It'd get implemented a whole lot faster that way. > > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
