[jboss-jira] [JBoss JIRA] Created: (JBAS-6926) Run JBoss on privileged port (80) without running as root

Brad Maxwell (JIRA) jira-events at lists.jboss.org
Fri May 15 14:36:46 EDT 2009 

Run JBoss on privileged port (80) without running as root
---------------------------------------------------------

                 Key: JBAS-6926
                 URL: https://jira.jboss.org/jira/browse/JBAS-6926
             Project: JBoss Application Server
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: System service, Web (Tomcat) service
            Reporter: Brad Maxwell
            Assignee: Dimitris Andreadis


Many customers want to run JBoss Web on port 80 without running JBoss as root for security reasons.  This is usually achieved by fronting JBoss with Apache & using mod_jk to proxy to JBoss or doing NAT on the machine.  It would be nice if JBoss could be started as root but have configuration that would change to a non-root user after it has opened the ports such as port 80 for jboss-web, such as Apache and other app servers do.

Below are some possibilities to achieve this:

Changing UID is something that would have to be done via JNI (in other words, platform-specific compiled libraries - possibly more than one per platform [I'm thinking of hybrid 32/64-bit platforms]).  That said I could envision a couple possible solutions for UNIX platforms (all would require development work however):

Solution 1
----------
- JBAS starts up by running Main
- Main notices a special configuration option to bind certain ports upfront, stores those bound sockets for later
- Main notices a special configuration option to switch UID, uses the JNI stub to do so
- Commence normal bootstrap
- JBossWeb (or any other network component) has a provision to re-use pre-bound sockets
- On redeploy or connector undeploy, those sockets had better not be closed or else they won't be able to be re-bound

Solution 2
----------
- A separate "binder" program is written (in C) which creates a AF_UNIX socket with restricted permissions and runs as root
- JBAS starts up, runs through bootstrap normally as a non-priv user
- Rather than creating a ServerSocket, JBAS uses a JNI stub to connect to the AF_UNIX socket, and send a request to bind a privileged socket address
- The "binder" program binds the address and sends the file descriptor back over the AF_UNIX socket, and closes its local copy of the server socket
- JBAS reads that server socket back off the AF_UNIX socket
(note that this is arguably slightly more elegant as a custom ServerSocketFactory could do this transparently for non-NIO usages)

Solution 3 (Linux only)
-----------------------
- Run JBAS with CAP_NET_BIND_SERVICE

Note that these solutions all rely on platform-specific mechanisms, because it's a platform-specific problem.  The best we can do is come up with a way to distribute the JNI guts in such a way that it doesn't *look* like a platform-specific solution.

- DML 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list