DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23371>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23371 running tomcat standalone as non-root on port 443 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Enhancement Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From [EMAIL PROTECTED] 2003-09-24 05:18 ------- Tim, Thanks for the quick reply. Unfortunately, on the page you reference I don't see port 80 mentioned. - "How to I force all my pages to run under HTTPS?" http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23371 mentions security-constraints in web.xml once a httpd has taken port 80 and 443, but not how I can convince linux to give a port < 1000 to a non-root user in the first place. - "Tomcat as root and security issues" basically mentions squid or other port forwarders... ==> if the answer is that Tomcat can't run under 443 or 80 standalone as non-root, then, my suggestion is to add another paragraph to the security FAQ! Looking around for similar useful information, for example http://jakarta.apache.org/tomcat/tomcat-4.1-doc/RUNNING.txt only hints at port 8080 but not sub 1000 ports. In many environments firewalls restrict outgoing traffic to 80 and 443. Does this mean that all the users of these environments can never see a standalone tomcat site? Or, at least has anybody built and successfully deployed a chroot'ing starter-utility that could be easily used for this as a second-best fix? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
