Run JBoss on privileged port (80) without running as root
---------------------------------------------------------
Key: JBAS-6926
URL:
https://jira.jboss.org/jira/browse/JBAS-6926
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: System service, Web (Tomcat) service
Reporter: Brad Maxwell
Assignee: Dimitris Andreadis
Many customers want to run JBoss Web on port 80 without running JBoss as root for security
reasons. This is usually achieved by fronting JBoss with Apache & using mod_jk to
proxy to JBoss or doing NAT on the machine. It would be nice if JBoss could be started as
root but have configuration that would change to a non-root user after it has opened the
ports such as port 80 for jboss-web, such as Apache and other app servers do.
Below are some possibilities to achieve this:
Changing UID is something that would have to be done via JNI (in other words,
platform-specific compiled libraries - possibly more than one per platform [I'm
thinking of hybrid 32/64-bit platforms]). That said I could envision a couple possible
solutions for UNIX platforms (all would require development work however):
Solution 1
----------
- JBAS starts up by running Main
- Main notices a special configuration option to bind certain ports upfront, stores those
bound sockets for later
- Main notices a special configuration option to switch UID, uses the JNI stub to do so
- Commence normal bootstrap
- JBossWeb (or any other network component) has a provision to re-use pre-bound sockets
- On redeploy or connector undeploy, those sockets had better not be closed or else they
won't be able to be re-bound
Solution 2
----------
- A separate "binder" program is written (in C) which creates a AF_UNIX socket
with restricted permissions and runs as root
- JBAS starts up, runs through bootstrap normally as a non-priv user
- Rather than creating a ServerSocket, JBAS uses a JNI stub to connect to the AF_UNIX
socket, and send a request to bind a privileged socket address
- The "binder" program binds the address and sends the file descriptor back over
the AF_UNIX socket, and closes its local copy of the server socket
- JBAS reads that server socket back off the AF_UNIX socket
(note that this is arguably slightly more elegant as a custom ServerSocketFactory could do
this transparently for non-NIO usages)
Solution 3 (Linux only)
-----------------------
- Run JBAS with CAP_NET_BIND_SERVICE
Note that these solutions all rely on platform-specific mechanisms, because it's a
platform-specific problem. The best we can do is come up with a way to distribute the JNI
guts in such a way that it doesn't *look* like a platform-specific solution.
- DML
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira