Sun Application Server Drop Privs

We're using Sun Java System Application Server 8.1. I know
the software is designed so it can be run as a non-root user,
but right now, we have to run it as root since it binds to ports
80/tcp and 443/tcp.

I've hit SunSolve, docs.sun.com, and Google, but can't seem to
find out how to get it to drop privs to a non-root user after
grabbing the low-numbered ports. Anyone know how to do this?
I'd rather (a) not have this monster run as root if it doesn't
have to and (b) not have the web app developers have to get a
sys admin to make changes as root for them whenever they want
to tweak some file.
--
Crist J. Clark                     |     cjclark@...

If the main issue is your webservers then what should happen
is that the initial run as root should get reassigned to
the webserver owner, i.e. nobody, web, etc.

Stephen Hauskins
Divisional Liaison
Academic Computing Group
Division of Physical and Biological Sciences

We can't solve problems by using the same kind of thinking we used
when we created them.   Albert Einstein


On Mon, 23 Apr 2007, Crist J. Clark wrote:

Have you tried creating a properties file or editing the existing properties
file that contains the environment variables associated with launching the
app server?  I know for the Sun Proxy server you can create a properties
page that contains the user that will run the service as well as the ports
to which it will bind to.  The properties file may be accessed by root, but
privs will be dropped to the user defined within the config file.



Tony UcedaVélez, CISM, CISA, GIAC
Managing Partner
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv@...
(web)   www.versprite.com

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Crist J. Clark
Sent: Monday, April 23, 2007 8:11 PM
To: focus-sun@...
Subject: Sun Application Server Drop Privs

We're using Sun Java System Application Server 8.1. I know
the software is designed so it can be run as a non-root user,
but right now, we have to run it as root since it binds to ports
80/tcp and 443/tcp.

I've hit SunSolve, docs.sun.com, and Google, but can't seem to
find out how to get it to drop privs to a non-root user after
grabbing the low-numbered ports. Anyone know how to do this?
I'd rather (a) not have this monster run as root if it doesn't
have to and (b) not have the web app developers have to get a
sys admin to make changes as root for them whenever they want
to tweak some file.
--
Crist J. Clark                     |     cjclark@...

Regarding (b), even if you run the server as root, you can change the
owners &/or groups of the files so that non-root users can change them.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Haim (Howard) Roman
Computer Center, Jerusalem College of Technology
roman@...
Phone: 052-8-592-599 (6022 from within Machon Lev)



-------- Original Message  --------
Subject: Sun Application Server Drop Privs
From: Crist J. Clark <cristclark@...>
To: focus-sun@...
Date: Tue 24 Apr 2007 03:11:02 AM IDT

On Wed, 25 Apr 2007, haim [howard] roman wrote:
> Regarding (b), even if you run the server as root, you can change the
> owners &/or groups of the files so that non-root users can change them.

It may happen that controlling configuration files is enough to force
the application to do nasty things (e.g., reading /etc/shadow, or even
overwriting it). If an application is run as root, the result can be
that you allow the one who controls the configuration files to do this
nasty things.

If your only problem is the ports, you could run the server on some
other ports (say, 20080 instead of 80) and use ipf to redirect 80 to
20080.

--
Regards,
ASK