Running Tomcat (or Aware) as a restricted user

RLJB

Has anyone tried running Tomcat (or even Aware) as a different (and restricted permissions) user?

If so, please share your findings, or PM if security issue.

Thanks.
(Linux hosted preferred)

intra

Hey Rod,

I believe (don't quote me) that only a root user can use low end port numbers.

Had any idea's of late that might address?

I have been considering running the tomcat side of things on higher number ports and then using iptables to redirect it to lower end ports. I just haven't gotten around to it however. 🙁

intra

After a little experimentation, i have been able to modify the startup to run under a non-privileged account.

There are a few issues with low-ports numbers with non-privileged accounts, however you can get around the issue with additional packages from the Linux repository.

I'm going to have a quick look at reverse-proxying with apache mod_proxy or NGINX (to automate LetsEncrypt renewal in a nicer fashion instead of dropping tomcat service which causes an user outage).

RLJB

Well that is a LOT more successful than my attempts!

Can you send some specifics about how you did it pls?

gijsvb

I also have tomcat running with letsencrypt certificates. If you have any news on automating the certificate renewal proces, please let me know.

Afaik now, I have to restart AwareIM at least every 90 days.

intra

Just a quick update...

I have been able to raise a NGINX web server as a reverse proxy to allow for automated SSL renewals, then forward the request to tomcat running as a restricted user. Works well and avoids the hard shutdown of tomcat to renew the certificates.

Basically the following was done (i'll write it up later).

Option 1.

Install NGINX
Config NGINX to serve as the front end server on ports 80 and 443
Setup LetsEncrypt for SSL certs and redirect port 80 to 443
Pass port 443 to backend server (tomcat) listening on an alternative port.
Install AwareIM
Setup restricted user , disable shell access
Setup appropriate groups
Setup cronjob to auto renew SSL.
Beers.

If you don't have a requirement to run a reverse proxy infront of AwareIM and want tomcat exposed as the primary then you'll need to use 'authbind' to allow restricted users to launch services. This gets around the higher administrative credentials.

There is two more additional scenario that i want to test and that will be supporting 'virtual hosts' so that i can have multiple domains from one front application server and the other will be load balancing the requests.