Re: [OT] Running as user tomcat [authbind]

[tomcat]

Hi.

On 26.02.2018 15:59, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Coty and André,

On 2/23/18 6:58 PM, Coty Sutherland wrote:
Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
I've been planning to push a solution for that, just haven't gotten
around to it yet.

On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
<a...@ice-sa.com> wrote:
On 23.02.2018 23:32, André Warnier (tomcat) wrote:

On 23.02.2018 18:52, Peter@Kreuser-Online wrote:

Hi Chris,



Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
<ccheltenham-...@philasd.org>:

Hello All,

I am trying to run tomcat as a non root user.

It will start as the tomcat user but it will not bind to
connector 443 unless it starts as root.

Does anyone know why?


Unix will not let you open ports below 1024 as non-root
user!

You may use a proxy in front of it or maybe use iptables to
be able to use standard ports AND user tomcat.


See also :
https://commons.apache.org/proper/commons-daemon/jsvc.html


Or if you are running under Linux, check :
https://en.wikipedia.org/wiki/Authbind

I'm curious ... can authbind be used to *restrict* processes as well
as to grant them access? For example, let's say that I want Tomcat to
be able to bind to port 8080, it generally will be able to do that
unless some other process has bound already. But let's say I
specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
use authbind to set a blacklist of ports, too? Or, can I blacklist
everything and set up a whitelist that contains only port 8080?


I don't really know the specifics of authbind, just that recent Debian Linux versions seem 
to automatically use it to run their pre-packaged Tomcat (I believe that previously, they 
used jsvc).
There is information available here :
https://manpages.debian.org/testing/authbind/authbind.1.en.html
which seems to indicate that indeed it seems to allow the kind of things which you mention 
above.
Should you not have access to a Linux Debain/Ubuntu system right now, I can also send you 
a sample /etc/init.d startup script for Tomcat (using authbind) (but presumably directly, 
as the list does not really like attachments)



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org