Running Tomcat (or Aware) as a restricted user

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
RLJB
Posts: 914
Joined: Tue Jan 05, 2010 10:16 am
Location: Sydney, Australia

Running Tomcat (or Aware) as a restricted user

Post by RLJB »

Has anyone tried running Tomcat (or even Aware) as a different (and restricted permissions) user?

If so, please share your findings, or PM if security issue.

Thanks.
(Linux hosted preferred)
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Running Tomcat (or Aware) as a restricted user

Post by intra »

Hey Rod,

I believe (don't quote me) that only a root user can use low end port numbers.

Had any idea's of late that might address?

I have been considering running the tomcat side of things on higher number ports and then using iptables to redirect it to lower end ports. I just haven't gotten around to it however. :(
Avid Linux user....
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Running Tomcat (or Aware) as a restricted user

Post by intra »

After a little experimentation, i have been able to modify the startup to run under a non-privileged account.

There are a few issues with low-ports numbers with non-privileged accounts, however you can get around the issue with additional packages from the Linux repository.

I'm going to have a quick look at reverse-proxying with apache mod_proxy or NGINX (to automate LetsEncrypt renewal in a nicer fashion instead of dropping tomcat service which causes an user outage).
Avid Linux user....
RLJB
Posts: 914
Joined: Tue Jan 05, 2010 10:16 am
Location: Sydney, Australia

Re: Running Tomcat (or Aware) as a restricted user

Post by RLJB »

Well that is a LOT more successful than my attempts!

Can you send some specifics about how you did it pls?
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS
gijsvb
Posts: 45
Joined: Fri Jan 23, 2015 5:32 pm

Re: Running Tomcat (or Aware) as a restricted user

Post by gijsvb »

I also have tomcat running with letsencrypt certificates. If you have any news on automating the certificate renewal proces, please let me know.

Afaik now, I have to restart AwareIM at least every 90 days.
Gijs van Ballegooijen.
the Netherlands.

AwareIM 8.4 (build 2708)
Server: Ubuntu Linux 18.04.2
Database: MariaDB
Config: Windows 2012R2
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Running Tomcat (or Aware) as a restricted user

Post by intra »

Just a quick update...

I have been able to raise a NGINX web server as a reverse proxy to allow for automated SSL renewals, then forward the request to tomcat running as a restricted user. Works well and avoids the hard shutdown of tomcat to renew the certificates.

Basically the following was done (i'll write it up later).

Option 1.

1. Install NGINX
2. Config NGINX to serve as the front end server on ports 80 and 443
3. Setup LetsEncrypt for SSL certs and redirect port 80 to 443
4. Pass port 443 to backend server (tomcat) listening on an alternative port.
5. Install AwareIM
6. Setup restricted user , disable shell access
7. Setup appropriate groups
8. Setup cronjob to auto renew SSL.
9. Beers.

If you don't have a requirement to run a reverse proxy infront of AwareIM and want tomcat exposed as the primary then you'll need to use 'authbind' to allow restricted users to launch services. This gets around the higher administrative credentials.

There is two more additional scenario that i want to test and that will be supporting 'virtual hosts' so that i can have multiple domains from one front application server and the other will be load balancing the requests.
Avid Linux user....
Post Reply