[英]On Linux do people chroot a Java Web Application or use IPTables and run as non-root?
When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the server as: 当您运行要在端口80上同时提供静态和动态内容的Java Servlet容器时,您会遇到是否运行服务器的经典问题:
The problem with opt. 选择的问题。 1 is the complexity of chrooting and still the security problems of running root.The problem with opt.
1是chrooting的复杂性,仍然是运行root的安全问题。选择的问题。 2 is that each Linux distro has a different way of persisting IPTables.
2是每个Linux发行版都有不同的持久化IPTables的方式。 Option 3 of course is probably idea but very hard to setup.
选项3当然可能是想法,但很难设置。
Finally every distro has the annoying differences in daemon scripts. 最后,每个发行版都有守护脚本中令人讨厌的差异。
What do people find as the best distro agnostic solution and are there resources to show how to do this? 人们发现什么是最好的发动机不可知解决方案,是否有资源显示如何做到这一点?
EDIT: I would rather not run Apache in front of the servlet container because the site is mostly dynamic and total memory footprint is important (hosting costs). 编辑:我宁愿不在servlet容器前运行Apache,因为该站点主要是动态的,总内存占用很重要(托管成本)。
Run as non-root and use a standard webserver ( apache ) or a lightweight one (such as lighttpd or nginx ) on port 80 to redirect to your instance. 以非root用户身份运行,并在端口80上使用标准Web服务器( apache )或轻量级服务器(如lighttpd或nginx )重定向到您的实例。
This has the advantage that the standard webserver can serve static content, reducing the load on your web application. 这样做的好处是,标准Web服务器可以提供静态内容,从而减少Web应用程序的负载。 You could even have it reverse-proxy and cache the web application traffic.
您甚至可以让它反向代理并缓存Web应用程序流量。
Check out authbind , which is designed specifically to allow non-root users controlled access to privileged ports. 检查authbind ,它专门用于允许非root用户控制对特权端口的访问。
This way, you can effectively escalate your Tomcat user's privileges to just the root powers you want (open privileged ports) without giving your webapp process unnecessary powers to wreak havoc. 通过这种方式,您可以有效地将Tomcat用户的权限升级到您想要的根权限(打开特权端口),而不会给您的webapp流程带来不必要的权力来造成严重破坏。
I use jetty on port 8080 and redirect with 我在端口8080上使用jetty并重定向
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
最近在Struts2中发现的漏洞 - https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ -清楚地表明以root身份运行是危险的。
why not simply run it as root? 为什么不简单地以root身份运行它? what bad can happen?
会发生什么坏事?
I've never heard of a java servlet container being hacked and the hacker can break out of JVM and gains access to OS. 我从来没有听说过被攻击的java servlet容器,黑客可以突破JVM并获得对操作系统的访问权限。
Let's say that happens. 让我们说这发生了。 The hacker read the JVM code and found a hole.
黑客读取JVM代码并发现了一个漏洞。 He breaks into your system through your servlet container and logs in as the user that runs the servlet container.
他通过servlet容器进入系统,并以运行servlet容器的用户身份登录。
then you are screwed. 然后你被搞砸了。 the most valueable and the only valueable things on your server are all accessible to that user.
服务器上最有价值且唯一有价值的东西都可供该用户访问。 it doesn't matter that the user is a normal user.
用户是普通用户并不重要。
what more damage can be done if that user is root? 如果该用户是root用户,可以进行更多的破坏吗? OS is disposable, just wipe it clean and reinstall.
操作系统是一次性的,只需擦拭干净并重新安装即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.