在Linux上,人们是否chroot Java Web应用程序或使用IPTables并以非root身份运行?
[英]On Linux do people chroot a Java Web Application or use IPTables and run as non-root?
问题描述
When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the server as: 
当您运行要在端口80上同时提供静态和动态内容的Java Servlet容器时,您会遇到是否运行服务器的经典问题:
- As root in hopefully a chroot jail if you can (haven't gotten this working yet) 如果可以的话,有希望成为chroot监狱的根本(还没有得到这个工作)
- As a non root user and then use IPTables to forward port 80 to some other port (>1024) that the container is running on 作为非root用户,然后使用IPTables将端口80转发到容器正在运行的其他端口(> 1024)
- Both: As a non root user, IPTables, and chroot jail. 两者:作为非root用户,IPTables和chroot jail。
The problem with opt. 选择的问题。 1 is the complexity of chrooting and still the security problems of running root.The problem with opt. 1是chrooting的复杂性,仍然是运行root的安全问题。选择的问题。 2 is that each Linux distro has a different way of persisting IPTables. 2是每个Linux发行版都有不同的持久化IPTables的方式。 Option 3 of course is probably idea but very hard to setup. 选项3当然可能是想法,但很难设置。
Finally every distro has the annoying differences in daemon scripts. 最后,每个发行版都有守护脚本中令人讨厌的差异。
What do people find as the best distro agnostic solution and are there resources to show how to do this? 人们发现什么是最好的发动机不可知解决方案,是否有资源显示如何做到这一点?
EDIT: I would rather not run Apache in front of the servlet container because the site is mostly dynamic and total memory footprint is important (hosting costs). 编辑:我宁愿不在servlet容器前运行Apache,因为该站点主要是动态的,总内存占用很重要(托管成本)。
5 个解决方案
解决方案1
5 已采纳 2010-06-17 16:03:21
Run as non-root and use a standard webserver ( apache ) or a lightweight one (such as lighttpd or nginx ) on port 80 to redirect to your instance. 以非root用户身份运行,并在端口80上使用标准Web服务器( apache )或轻量级服务器(如lighttpd或nginx )重定向到您的实例。
This has the advantage that the standard webserver can serve static content, reducing the load on your web application. 这样做的好处是,标准Web服务器可以提供静态内容,从而减少Web应用程序的负载。 You could even have it reverse-proxy and cache the web application traffic. 您甚至可以让它反向代理并缓存Web应用程序流量。
解决方案2
3 2010-06-17 20:31:00
Check out authbind , which is designed specifically to allow non-root users controlled access to privileged ports. 检查authbind ,它专门用于允许非root用户控制对特权端口的访问。
This way, you can effectively escalate your Tomcat user's privileges to just the root powers you want (open privileged ports) without giving your webapp process unnecessary powers to wreak havoc. 通过这种方式,您可以有效地将Tomcat用户的权限升级到您想要的根权限(打开特权端口),而不会给您的webapp流程带来不必要的权力来造成严重破坏。
解决方案3
2 2010-06-19 01:22:35
I use jetty on port 8080 and redirect with 我在端口8080上使用jetty并重定向
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
解决方案4
0 2017-03-23 08:24:14
最近在Struts2中发现的漏洞 - https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ -清楚地表明以root身份运行是危险的。
解决方案5
-2 2010-06-17 20:42:28
why not simply run it as root? 为什么不简单地以root身份运行它? what bad can happen? 会发生什么坏事?
I've never heard of a java servlet container being hacked and the hacker can break out of JVM and gains access to OS. 我从来没有听说过被攻击的java servlet容器,黑客可以突破JVM并获得对操作系统的访问权限。
Let's say that happens. 让我们说这发生了。 The hacker read the JVM code and found a hole. 黑客读取JVM代码并发现了一个漏洞。 He breaks into your system through your servlet container and logs in as the user that runs the servlet container. 他通过servlet容器进入系统,并以运行servlet容器的用户身份登录。
then you are screwed. 然后你被搞砸了。 the most valueable and the only valueable things on your server are all accessible to that user. 服务器上最有价值且唯一有价值的东西都可供该用户访问。 it doesn't matter that the user is a normal user. 用户是普通用户并不重要。
what more damage can be done if that user is root? 如果该用户是root用户,可以进行更多的破坏吗? OS is disposable, just wipe it clean and reinstall. 操作系统是一次性的,只需擦拭干净并重新安装即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.