tags:

views:

113

answers:

4
+4  Q: 

On Linux do people chroot a Java Web Application or use IPTables and run as non-root?

When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the server as:

  1. As root in hopefully a chroot jail if you can (haven't gotten this working yet)
  2. As a non root user and then use IPTables to forward port 80 to some other port (>1024) that the container is running on
  3. Both: As a non root user, IPTables, and chroot jail.

The problem with opt. 1 is the complexity of chrooting and still the security problems of running root.The problem with opt. 2 is that each Linux distro has a different way of persisting IPTables. Option 3 of course is probably idea but very hard to setup.

Finally every distro has the annoying differences in daemon scripts.

What do people find as the best distro agnostic solution and are there resources to show how to do this?

EDIT: I would rather not run Apache in front of the servlet container because the site is mostly dynamic and total memory footprint is important (hosting costs).

+4  A: 

Run as non-root and use a standard webserver (apache) or a lightweight one (such as lighttpdor nginx) on port 80 to redirect to your instance.

This has the advantage that the standard webserver can serve static content, reducing the load on your web application. You could even have it reverse-proxy and cache the web application traffic.

jmanning2k  2010-06-17 16:03:21
The problem is that the proxy incurs a bandwidth latency cost not to mention you now need to be running multiple servers (apache and servlet container) so you need a more powerful server with more memory.
Adam Gent  2010-06-17 16:15:39
@Adam, have you tried proxying with nginx or lighttpd as opposed to Apache? I've never used lighttpd, but nginx has excellent performance and has a very small memory footprint. Of course, a proxy will always add to the latency, but with nginx it's a small amount compared to Apache.
Jeff  2010-06-18 12:10:25
@Jeff I'll have to look into nginx. The only issue I can imagine is that nginix probably does not have the same level of support that apache and mod_jk.
Adam Gent  2010-06-18 17:55:24
I think you'll find the latency is minimal, and the resources required are actually reduced. Don't make assumptions - test it out.
jmanning2k  2010-07-02 15:56:59
+1  A: 

Check out authbind, which is designed specifically to allow non-root users controlled access to privileged ports.

This way, you can effectively escalate your Tomcat user's privileges to just the root powers you want (open privileged ports) without giving your webapp process unnecessary powers to wreak havoc.

Andrzej Doyle  2010-06-17 20:31:00
A: 

why not simply run it as root? what bad can happen?

I've never heard of a java servlet container being hacked and the hacker can break out of JVM and gains access to OS.

Let's say that happens. The hacker read the JVM code and found a hole. He breaks into your system through your servlet container and logs in as the user that runs the servlet container.

then you are screwed. the most valueable and the only valueable things on your server are all accessible to that user. it doesn't matter that the user is a normal user.

what more damage can be done if that user is root? OS is disposable, just wipe it clean and reinstall.

irreputable  2010-06-17 20:42:28
Detecting that a machine has been compromised becomes significantly more difficult if the attacker has root access.
Angelo Genovese  2010-06-17 20:47:12
if the attacker is after your app data, a restricted user account won't help at all. if the attacker hijacks the machine to do something else, big deal. in any case, it is infinitely impossible that the attacker breaks in through a http port opened in a JVM. there are much easier ways.
irreputable  2010-06-17 21:38:54
1) "infinitely impossible": I do not think that phrase means what you think it means.2) Detection: If root access is not gained, intrusion can be detected through HID services, and you know it is time to restore from a known clean backup. If root access is gained, the compromise could well be undetected, ongoing, and may cost much more to recover from (if you ever figure it out)
Slartibartfast  2010-06-17 23:20:54
@irreputable actually one of the advantages I like about not running it as root is that I can give access to other developers and not worry about them installing emacs-or-their-favorite-unix-program. It also makes it easy to see all the processes that are running that are "ours" and not OS userland processes like syslog.
Adam Gent  2010-06-18 04:05:13
+1  A: 

I use jetty on port 8080 and redirect with

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

pierce  2010-06-19 01:22:35
@pierce that is my normal approach to this problem. However I still have to write the annoying init/daemon scripts to make sure that that iptables command gets run and jetty/tomcat gets started.
Adam Gent  2010-06-19 16:35:30

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?