On Tue, 17 Apr 2007, Faheem Mitha wrote:
On Tue, 17 Apr 2007, Faheem Mitha wrote:
On Tue, 17 Apr 2007, David Smith wrote:
Ahhh the joy of *nix operating systems. Way back in the distant past of
unix systems, someone decided it was a bad idea to allow any user on the
system to bind to the well known low ports (1 - 1024) where officially
sanctioned services (POP, SMTP, FTP, etc., ...) should be. A great idea
except it also required the services to be running as a privileged user to
gain access. For a lot of reasons, services should run with the least
privilege.
A couple of the most common solutions to this problem are:
1. Start tomcat using jsvc. You can get it from the commons-daemon
project at http://jakarta.apache.org/commons/daemon
2. Run tomcat on a higher port like 8443 and attempt to use iptables to
divert the traffic intended for 443 to tomcat. I'm a bit dubious on if
this will work with an SSL connection. You can try it if you like.
My vote is for 1. It's easy and tomcat can act as a well behaved,
respectable service running with minimum privilege while still capturing a
"privileged" port.
I'm inclined to go for 1 too. Are there any drawbacks to this approach
besides introducing another piece of software? Also, can anyone recommend a
nice simple howto or somesuch?
I just discovered that the latest version of the tomcat 5.5 debian package in
unstable (5.5.20-4) uses jsvc. So I happily installed it, only to discover
that it is buggy, and does not appear to run correctly. The version 5.5.20-2
in etch works fine, but does not use jsvc. This is a major drag.
I don't feel competent to mess around with init scripts and so forth, so I'd
much rather use the Debian package. Does anyone have a locally fixed version
or have other suggestions about what to do?
I discovered a local fix (use cronolog) to 5.5.20-4 in Debian bug report
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=402603
I just applied the diff that Adrian Bridgett supplied.
"a) use cronolog and alter init.d (see attached diff)
Pro: simple
Con: end up with two logs"
I don't really have a clear idea what is going on here, but tomcat is now
working, and I can run on port 443. I did have to install cronolog, of
course. Just thought I'd send this in here in case it was helpful for
someone. Presumably the Debian package will be fixed eventually.
One question I do have is whether there are any restrictions using tomcat
in this way (with jsvc). For example, I think the plan is to use tomcat
with something called shibboleth. I'm just doing the installing here, not
anything else.
Comments? Faheem.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
