Right.  This is very much the same way other services like Apache httpd
do things.  The privileged process is there to catch signals and open
ports for listening.  The unprivileged process does the actual work.

--David

Andrew Ralph Feller, afelle1 wrote:
> Thanks for the reply David!
>
> If you startup jsvc and do "ps axu | grep jsvc", you will find two processes
> with one being owned by root and the other by the non-root account.  The
> non-root process will actually handle the incoming requests, however the
> root process is needed to bind to port 443 since it is a privilege port.
>
>
> On 10/30/08 1:55 PM, "David Smith" <[EMAIL PROTECTED]> wrote:
>
>   
>>> I don't have any personal issue with moving to running Tomcat directly as
>>> the non-privileged account meant for Tomcat ...
>>>       
>> Just to clarify, jsvc runs tomcat as an unprivileged user as well.  One
>> advantage to jsvc is it allows tomcat to be run by itself without funky
>> iptables rules or a front-end server.  It's a simpler setup and overall
>> I'm a firm believer in simpler = better.
>>
>> --David
>>
>> Andrew Ralph Feller, afelle1 wrote:
>>     
>>> Thanks for the response Torsten!
>>>
>>> In our environment, the machines we have Tomcat running on strictly use
>>> Tomcat 6, APR for SSL support, and we load balance applications through an
>>> external load balancer.  We have been able to get by without brining HTTPD
>>> for things like mod_rewrite or any of the PAMs, so I would like to keep it
>>> as simple as possible.
>>>
>>> I don't have any personal issue with moving to running Tomcat directly as
>>> the non-privileged account meant for Tomcat, however I am curious about the
>>> trade offs especially related to security.
>>>
>>> Thanks!
>>>
>>> On 10/30/08 12:37 PM, "[EMAIL PROTECTED]"
>>> <[EMAIL PROTECTED]> wrote:
>>>
>>>   
>>>       
>>>> Hi Andrew,
>>>>
>>>> We let all our Tomcats run on a non-privileged port and use some init 
>>>> script
>>>> using startup.sh/shutdown.sh, and have an Apache httpd forwarding requests
>>>> with AJP.
>>>>
>>>> We then use Apache httpd for things like terminating SSL, do RADIUS or LDAP
>>>> authentication, load balancing several Tomcat instances and so on.
>>>>
>>>> I think it is a good and common setup like that.
>>>>
>>>> Torsten
>>>>
>>>> -----Original Message-----
>>>> From: Andrew Feller [mailto:[EMAIL PROTECTED]
>>>> Sent: 30. oktober 2008 18:16
>>>> To: users@tomcat.apache.org
>>>> Cc: Brad Cupit
>>>> Subject: JSVC vs standard startup / shutdown scripts
>>>>
>>>> QUESTION: What is the best practice for running Tomcat?  JSVC daemon or
>>>> startup / shutdown scripts as a non-root user and forwarding HTTPS requests
>>>> to a non-privileged port?
>>>>
>>>> While reading the Professional Apache Tomcat 6 (ISBN: 978-0-471-75361-2),
>>>> they recommend running Tomcat to start it up using the startup script
>>>> provided in the Tomcat binary and having your firewall forward requests 
>>>> from
>>>> HTTPS to a non-privileged port.  This is very interesting for two reasons:
>>>>
>>>>    1. The book never mentions JSVC, which the Tomcat documentation does
>>>>    2. We believed using JSVC was the only way to run as a non-root user,
>>>>    which doesn't seem to be the case now
>>>>
>>>> I would appreciate any feedback about the trade offs and why people choose
>>>> one over the other.
>>>>
>>>> Thanks,
>>>> Andrew
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>
>>>>     
>>>>         
>>>   
>>>       
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>     
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to