On 01/17/2015 04:31 AM, Jason T. Greene wrote:
Right all Java code using this JVM would have access to binding *all
ports* (e.g a Java program could bind say the ssh port (assuming it's not running) and
sniff passwords). So it would be a good idea to have a dedicated JVM just for WildFly and
to limit the execution permission to just a dedicated WildFly user. That way you ensure
only the wildfly process can bind these ports.
I guess selinux could help on this scenario. IIRC, selinux blocks
WildFly (the one from the repos) from binding on non default ports
(8080, ...), so, a custom rule to allow it to bind to 80 would be
enough. If WildFly tries to bind to 22, selinux will block.
- Juca.