-4

For reasons beyond my comprehension, GlassFish refuses to play ball with iptables. That is, with all the correct redirection rules in place, it won't receive any redirected traffic. So I'm at plan B which is to bind GlassFish to ports 80 and 443 rather than 8080 and 8181.

As I don't want to run GlassFish as root for security reasons, I need to grant the user account that is running it with sufficient privileges to bind to ports 80 and 443. From a security point of view, it's not risky because iptables is blocking all the other ports.

In Centos 6.4, what command(s) do I execute to allow a specified non-root user to directly listen to ports < 1024?

Please don't suggest drastic solutions that involve downloading (and compiling) stuff from random locations. I need something reproducible, so if any dependencies need to be brought in, they need to come from Centos's package repository.

Steve
  • 200
  • 2
  • 4
  • 13
  • You know that [this isn't good practice](http://serverfault.com/q/413108/126632), right? – Michael Hampton Jun 06 '13 at 03:35
  • And do you know why? It's so non-root compromised accounts can't imitate secure services. But with `iptables` blocking those secure ports anyway except for the ports on which `root` already listens, it's a non-issue. – Steve Jun 06 '13 at 03:37
  • That's only one of the reasons. Click the link. – Michael Hampton Jun 06 '13 at 03:38
  • I did click the link. There was no elaboration on security. As for performance, I would have to make architectural changes to take advantage of the performance, otherwise I'll just be making the app slightly slower. Putting `httpd` between GlassFish and the Internet isn't going to magically speed things up. – Steve Jun 06 '13 at 03:42
  • Apparently this question does not show any research effort, is unclear or not useful. Can the down-voter please tell me exactly how this question does not show any research effort, is unclear or not useful? – Steve Jun 06 '13 at 04:09
  • 3
    I did not downvote you, but if I were to guess, it would be due to the fact that apparently you are not interested in hearing what the correct answer is to this problem. – EEAA Jun 06 '13 at 04:32

3 Answers3

3

No, you don't want to do this.

Instead, pick your favorite web server (I prefer nginx), and use that to proxy requests from port 80 to wherever glassfish is listening.

The config bits for doing this are very simple, and you'll end up with a far more secure and more manageable system.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 1
    Yes, I do want to do this. – Steve Jun 06 '13 at 03:39
  • 4
    @SteveTaylor - you came here asking for expert advice, and that is what you are getting from both myself and Michael. Believe me when I say this: reverse proxies are **the way** to get high-port applications down on to lower ports. Period. Full stop. Any other method, your going to compromise security manageability, etc. – EEAA Jun 06 '13 at 03:42
  • No, `iptables` is **the way**. Except GlassFish won't play nice. I have already proven that I can bind GlassFish as root to ports 80 and 443. I have also proven that I can block all other ports with `iptables`. And I have proven that the recommended `iptables` configuration to forward incoming 80 and 443 traffic to 8080 and 8181 respectively does not work. And I came here hoping, at best, for enthusiast advice. (See the FAQ.) Answers that don't specifically answer the specific question will be debated unless they provide an acceptable solution I haven't thought about yet. – Steve Jun 06 '13 at 04:12
1

The authbind tool will work. Just install/unpack it and prepend it to your command. For my installation I edited /usr/share/java-utils/java-functions and called $JAVACMD with it and it worked with no problem.

user3712284
  • 26
  • 1
0

You ought to be able to use capabilities (7) to accomplish this. See e.g. https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l/414258#414258 for lots of information.

I'm not specifically familiar with GlassFish so my reservation with this approach is that you may need to grant the CAP_NET_BIND_SERVICE capability to Java as a whole, which of course would be risky. Making a copy of the Java binary specifically for this purpose is one (also imperfect) option.

Community
  • 1
asmecher
  • 117
  • 1
  • Thanks. A great idea, but with one teeny tiny problem: `java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory` – Steve Jun 06 '13 at 03:52
  • Steve, are you sure that's related to the capability change? Check the usual suspects, i.e. your LD_LIBRARY_PATH, permissions on that library, etc. – asmecher Jun 06 '13 at 03:55
  • Yes, I read an article saying that this was filed as a Java bug and their answer is that it's a security feature. – Steve Jun 06 '13 at 04:07
  • Btw, I did not downvote this. It was the only answer that specifically addressed the question. It was likely downvoted by one of the question downvoters. As I understand it, you generally don't downvote questions that ask how to do something that, in someone's opinion, you shouldn't do. – Steve Jun 06 '13 at 05:36
  • 1
    @SteveTaylor - on the contrary. It's quite frequent that people post questions, already having a solution in mind and will *refuse* to accept what is really the correct answer to their question. These questions get downvoted quite quickly. We have a strong ethic of "doing things the right way", and in this case, you apparently aren't interested in hearing the right way. Which is your prerogative, but you'll need to deal with the downvotes. – EEAA Jun 06 '13 at 13:36
  • That's OK. When I have sufficient reputation, I'll be back here to downvote answers and comments that refused to answer the question actually asked. :) – Steve Jun 06 '13 at 14:18