在 Linux 上,人们是否会 chroot Java Web 应用程序或使用 IPTables 并以非 root 身份运行?
当您运行一个 Java Servlet 容器并希望在端口 80 上提供静态和动态内容时,您会遇到一个经典问题:是否以以下方式运行服务器:
- 如果可以的话,希望以 chroot 监狱的 root 身份运行(还没有得到这个) 作为非 root 用户,然后
- 使用 IPTables 将端口 80 转发到容器运行的其他端口 (>1024)
- 两者:作为非 root 用户、IPTables 和 chroot Jail。
opt 的问题。 1是chrooting的复杂性以及运行root的安全问题。opt的问题。 2 是每个 Linux 发行版都有不同的持久 IPTables 的方式。选项 3 当然可能是个主意,但很难设置。
最后,每个发行版在守护进程脚本中都有令人烦恼的差异。
人们认为最好的发行版不可知解决方案是什么?是否有资源来展示如何做到这一点?
编辑:我不想在 servlet 容器前面运行 Apache,因为该站点主要是动态的,并且总内存占用很重要(托管成本)。
When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the server as:
- As root in hopefully a chroot jail if you can (haven't gotten this working yet)
- As a non root user and then use IPTables to forward port 80 to some other port (>1024) that the container is running on
- Both: As a non root user, IPTables, and chroot jail.
The problem with opt. 1 is the complexity of chrooting and still the security problems of running root.The problem with opt. 2 is that each Linux distro has a different way of persisting IPTables. Option 3 of course is probably idea but very hard to setup.
Finally every distro has the annoying differences in daemon scripts.
What do people find as the best distro agnostic solution and are there resources to show how to do this?
EDIT: I would rather not run Apache in front of the servlet container because the site is mostly dynamic and total memory footprint is important (hosting costs).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
以非 root 身份运行并使用标准 Web 服务器 (apache) 或轻量级 Web 服务器(例如 lighttpd 或 nginx) 在端口 80 上重定向到您的实例。
这样做的优点是标准 Web 服务器可以提供静态内容,从而减少 Web 应用程序的负载。您甚至可以让它反向代理并缓存 Web 应用程序流量。
Run as non-root and use a standard webserver (apache) or a lightweight one (such as lighttpdor nginx) on port 80 to redirect to your instance.
This has the advantage that the standard webserver can serve static content, reducing the load on your web application. You could even have it reverse-proxy and cache the web application traffic.
查看 authbind,它专门设计用于允许非 root 用户控制对特权端口的访问。
通过这种方式,您可以有效地将 Tomcat 用户的权限升级到您想要的 root 权限(打开特权端口),而不会给您的 webapp 进程带来不必要的权力来造成严重破坏。
Check out authbind, which is designed specifically to allow non-root users controlled access to privileged ports.
This way, you can effectively escalate your Tomcat user's privileges to just the root powers you want (open privileged ports) without giving your webapp process unnecessary powers to wreak havoc.
我在端口 8080 上使用 jetty 并使用
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080重定向
I use jetty on port 8080 and redirect with
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
最近在 Struts2 中发现的漏洞 - https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache- struts-2/ - 清楚地表明以 root 身份运行是危险的。
The recently found vulnerability in Struts2 - https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ - shows clearly that running as root is dangerous.
为什么不简单地以 root 身份运行它呢?会发生什么坏事?
我从未听说过 java servlet 容器被黑客攻击,并且黑客可以突破 JVM 并获得对操作系统的访问权限。
假设这种情况发生了。黑客读取了 JVM 代码并发现了一个漏洞。他通过您的 servlet 容器侵入您的系统,并以运行 servlet 容器的用户身份登录。
那么你就完蛋了。服务器上最有价值和唯一有价值的东西都可供该用户访问。用户是普通用户并不重要。
如果该用户是 root,还会造成什么损害?操作系统是一次性的,只需擦拭干净并重新安装即可。
why not simply run it as root? what bad can happen?
I've never heard of a java servlet container being hacked and the hacker can break out of JVM and gains access to OS.
Let's say that happens. The hacker read the JVM code and found a hole. He breaks into your system through your servlet container and logs in as the user that runs the servlet container.
then you are screwed. the most valueable and the only valueable things on your server are all accessible to that user. it doesn't matter that the user is a normal user.
what more damage can be done if that user is root? OS is disposable, just wipe it clean and reinstall.