-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 9/7/17 12:18 PM, James H. H. Lampert wrote: > Emmanuel Bourg wrote: >>> You didn't change the TOMCAT8_USER variable in >>> /etc/default/tomcat8 and authbind is installed, right? >>> >>> What is the output of (as root): >>> >>> su tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c >>> 'netcat -v -p 443 -l'" > and my reply ended: >> The only difference I see is the home directories. > > I found another difference. > > I looked at the man page for authbind. Then I looked at the > contents of /etc/authbind. > > It seems that /etc/authbind/byport/443 has owner "tomcat7," group > "root," and mode 500. As soon as I changed that to group "tomcat8" > and mode 550, >> sudo -u tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c >> 'netcat -v -p 443 -l'" > no longer came back with "Permission denied," and when I put Tomcat > 8.5 on port 443 and restarted Tomcat 8.5, it started right up > without further complaint. Glad to hear that. I've not used authbind, but I believe you can configure things in more than one way (i.e. /etc/authbind/byport versus /etc/authbind/byuid). I'll bet there is an order of preference, and that /etc/authbind/byport overrides /etc/authbind/byuid. I think you may want to remove /etc/authbind/byport/443 altogether and allow the /etc/authbind/byuid configuration to handle everything. NB I would recommend, at least in production, that you limit the ports to which Tomcat is allowed to bind to the ports you actually need, and not 1-1023. Just In Case. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZsb/DAAoJEBzwKT+lPKRYeIwQAMfxev49BAcvfU5wn8TpGAt0 5uJNJ3FQy4fq6okPiFO14ZAtir/mMJqaIPZDrxAAAi5/oYUf91NCfkXa6jJzqnnO 3BxSczzu9PAM/TNUzvhViiXmfGCMu5Mivu5OUubhlqib98Av9Zih+bfesJiH2xUG xBfURVOmLUq0MgYxadSmBJ9pNBzf6Jtu+wQa4Xd/O7+cgg406HXyorx/kPjfT1Nx 0YLdDBR7cvfZw0+4LLNpKGEY0MzETmGFi6Ia1QDUyucR1dzSI72a+LQqQkcr9gt0 xShL9f3d04HkCURWGHVIANVb1bsnNbXLFpWEY8P6TglJ9cLmmGB0ktTgFmA2hXe9 5NjDmEXSJkS6dNe2aD9Z0Z3bYGOFtlvYJlcmgn9e6hicBZkHF0vUUBom0J5Luro6 VvcubC8GYzfcQjm8mkYjvJgrGMMYo+XWhNu6oSH4l1R+tyVlmTwTZRGusu+v2kxp aJfwrXAjoiMnMyOZNwH+x5/e3tiiiw1/uonrLZMDVf5eq6yiLcwILd5MP0Jx4NGX kmqdyQka8c1SdHAq31c4AHfD9YtrQ5lTWXwgyt9s46Hb2FN9m3WN6HKnos6YuPqs bbl+EFynsy9oA4NsQgUMgha5W2y98e7kznwNlQkIcwlFssIzzZ114GNZKNjdYlRK uJlFBYYVIpZ7B4yM9oAV =IxQn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
