You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by e....@web.de on 2008/10/14 11:35:04 UTC
Installation on Linux (Ubuntu 8.04 Server) - permissions - running as root
Hi,
is there any more in depth documentation, an example or recommendations, of how to run James on Linux in a more or less secure way?
Is it ok to run James as root? Should I create a specific user for James? How should the directory rights be set? Should I use a chroot-environment, if yes, how?
How can I install James as service, where should log files go, ....
A lot of questions, but maybe somebody had this type of questions before?
Regards,
Ebe
________________________________________________________________________
"50 erste Dates" mit Adam Sandler u. Drew Barrymore kostenlos anschauen!
Exklusiv für alle WEB.DE Nutzer. http://www.blockbuster.web.de
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running as root
Posted by Eberhard Iglhaut <eb...@iglhaut.com>.
Hi David,
thanks again! I will do some investigation on iptables. In theory it
would be better to not open ports in the first place than blocking
them afterwards with iptables, wouldn't it?
But I know, in theory...
Regards, Ebe
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running
as root
Posted by David Legg <da...@searchevent.co.uk>.
Hi Ebe,
> I think, running as root shouldn't be much of an issue...
In practice you are probably right. It might give you a warm fuzzy
feeling to know it is a little better protected though. I would expect
there are fewer known exploits for James than say Sendmail simply
because of the smaller audience involved.
> I don't have any idea of iptables, so I guess the risk of introducing
> new security holes because of a bad configuration is higher than the
> risk of running as root. And I don´t
> like NAT very much.
>
Operating a server with a live internet connection and no firewall would
scare me ;-)
I get the impression your server is not public facing which may not be
so bad. Using iptables is scary at first, especially if your server is
remotely located. One false setting and it may not talk to you again!
However, if you manually test your settings and make a mistake then a
remote reboot could get you back in business. Only when you are happy
with your settings should you make them the boot defaults.
Let me know if you'd like more help setting up iptables.
> Where should I go for information about JSVC? To the Apache Commons
> page or is the setup more James-specific?
>
I expect Norman could correct me if I'm wrong but I think you need to
download the jar file (phoenix-daemon-loader-0.1.jar) he mentioned
(https://issues.apache.org/jira/browse/JAMES-500) and then follow the
instructions on (http://commons.apache.org/daemon/jsvc.html). But I
honestly wouldn't bother until you have iptables sorted out first.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running as root
Posted by Eberhard Iglhaut <eb...@iglhaut.com>.
Hi Bernd,
> Do you plan to enable a security manager?
Yes, I am thinking about it, at least.
Regards, Ebe
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running as root
Posted by Bernd Fondermann <be...@googlemail.com>.
On Wed, Oct 15, 2008 at 23:38, Eberhard Iglhaut <eb...@iglhaut.com> wrote:
> Thank to all of you for your answers!
>
> I think, running as root shouldn't be much of an issue, because what
> is running as root is the jvm, which has a security architecture of
> its own.
Do you plan to enable a security manager?
Bernd
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running as root
Posted by Eberhard Iglhaut <eb...@iglhaut.com>.
Thank to all of you for your answers!
I think, running as root shouldn't be much of an issue, because what
is running as root is the jvm, which has a security architecture of
its own.
So I´ll try Davids scripts first.
I don't have any idea of iptables, so I guess the risk of introducing
new security holes because of a bad configuration is higher than the
risk of running as root. And I don´t
like NAT very much.
By the way - isn't there a possibility to configure Ubuntu in a way
that the usage of low ports is allowed to non-root users, that´s what
we really want, isn´t it?
Where should I go for information about JSVC? To the Apache Commons
page or is the setup more James-specific?
Regards,
Ebe
2008/10/14 David Legg <da...@searchevent.co.uk>:
> Thanks Norman!
>
>> this feature is in trunk... You can easly "backport" it
>
> I looked into doing something similar but gave up because of time
> pressure... and now someone else has done it... hooray ;-)
>
> Regards,
> David Legg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running
as root
Posted by David Legg <da...@searchevent.co.uk>.
Thanks Norman!
> this feature is in trunk... You can easly "backport" it
I looked into doing something similar but gave up because of time
pressure... and now someone else has done it... hooray ;-)
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running as root
Posted by Norman Maurer <no...@apache.org>.
Hi David,
this feature is in trunk... You can easly "backport" it:
https://issues.apache.org/jira/browse/JAMES-500
Cheers,
Norman
2008/10/14 David Legg <da...@searchevent.co.uk>
> Hi Martin,
>
> Yes, I run James as root; but only because I couldn't find an easy way to
>>> run it as anything else.
>>>
>>
>> What's so hard at running James as non-root? The only 'problem' is that
>> you cannot bind to port 25 but that can be easily solved by running James on
>> port 2525 (or any other post > 1024) and using iptables to map port 25 to
>> 2525.
>>
>>
>
> That's an interesting idea that hadn't occurred to me!
>
> I guess I've been spoiled with other software like Tomcat where you can use
> something like JSVC which starts running the software as root and then after
> opening the appropriate ports switches to another user.
>
>
> Regards,
> David Legg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running
as root
Posted by David Legg <da...@searchevent.co.uk>.
Hi Martin,
>> Yes, I run James as root; but only because I couldn't find an easy way
>> to run it as anything else.
>>
>
> What's so hard at running James as non-root? The only 'problem' is that you cannot bind to port 25 but that can be easily solved by running James on port 2525 (or any other post > 1024) and using iptables to map port 25 to 2525.
>
That's an interesting idea that hadn't occurred to me!
I guess I've been spoiled with other software like Tomcat where you can
use something like JSVC which starts running the software as root and
then after opening the appropriate ports switches to another user.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions -
running as root
Posted by Martijn Brinkers <ma...@gmail.com>.
> Yes, I run James as root; but only because I couldn't find an easy way
> to run it as anything else. I did look at other options but it didn't
What's so hard at running James as non-root? The only 'problem' is that you cannot bind to port 25 but that can be easily solved by running James on port 2525 (or any other post > 1024) and using iptables to map port 25 to 2525.
Regards,
Martijn Brinkers
On Tue, 2008-10-14 at 15:42 +0100, David Legg wrote:
> Hi Ebe,
>
> > Is it ok to run James as root? Should I create a specific user for James? How should the directory rights be set? Should I use a chroot-environment, if yes, how?
> > How can I install James as service, where should log files go, ....
> >
>
> I installed James as a service on an Ubuntu server by creating a new
> file called 'james' in the /etc/init.d directory which looks as follows: -
>
> #!/bin/sh
> #
> # Set the environment - this is crucial... it doesn't exist at boot time.
> export JAVA_HOME=/usr/local/java
>
> case "$1" in
> 'start')
> echo "Starting James Mail Server: "
> /usr/local/james/bin/phoenix.sh start
> ;;
> 'stop')
> echo "Stopping James Mail Server: "
> /usr/local/james/bin/phoenix.sh stop
> ;;
> 'restart')
> echo "Restarting James Mail Server: "
> /usr/local/james/bin/phoenix.sh restart
> ;;
> *)
> echo "Usage: $0 { start | stop | restart }"
> ;;
> esac
> exit 0
>
>
> Once you have done that execute the following commands as root: -
>
> # chmod +x /etc/init.d/james
> # update-rc.d james defaults 20 80
> Adding system startup for /etc/init.d/james ...
> /etc/rc0.d/K80james -> ../init.d/james
> /etc/rc1.d/K80james -> ../init.d/james
> /etc/rc6.d/K80james -> ../init.d/james
> /etc/rc2.d/S20james -> ../init.d/james
> /etc/rc3.d/S20james -> ../init.d/james
> /etc/rc4.d/S20james -> ../init.d/james
> /etc/rc5.d/S20james -> ../init.d/james
>
>
> Assuming you installed James in /usr/local/james you should find all the
> log files get stored in /usr/local/james/apps/james/logs
>
> Yes, I run James as root; but only because I couldn't find an easy way
> to run it as anything else. I did look at other options but it didn't
> look easy. I do of course run iptables as a firewall to only expose
> essential ports like 25 and 110.
>
> Hope that helps.
>
> Regards,
> David Legg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Installation on Linux (Ubuntu 8.04 Server) - permissions - running
as root
Posted by David Legg <da...@searchevent.co.uk>.
Hi Ebe,
> Is it ok to run James as root? Should I create a specific user for James? How should the directory rights be set? Should I use a chroot-environment, if yes, how?
> How can I install James as service, where should log files go, ....
>
I installed James as a service on an Ubuntu server by creating a new
file called 'james' in the /etc/init.d directory which looks as follows: -
#!/bin/sh
#
# Set the environment - this is crucial... it doesn't exist at boot time.
export JAVA_HOME=/usr/local/java
case "$1" in
'start')
echo "Starting James Mail Server: "
/usr/local/james/bin/phoenix.sh start
;;
'stop')
echo "Stopping James Mail Server: "
/usr/local/james/bin/phoenix.sh stop
;;
'restart')
echo "Restarting James Mail Server: "
/usr/local/james/bin/phoenix.sh restart
;;
*)
echo "Usage: $0 { start | stop | restart }"
;;
esac
exit 0
Once you have done that execute the following commands as root: -
# chmod +x /etc/init.d/james
# update-rc.d james defaults 20 80
Adding system startup for /etc/init.d/james ...
/etc/rc0.d/K80james -> ../init.d/james
/etc/rc1.d/K80james -> ../init.d/james
/etc/rc6.d/K80james -> ../init.d/james
/etc/rc2.d/S20james -> ../init.d/james
/etc/rc3.d/S20james -> ../init.d/james
/etc/rc4.d/S20james -> ../init.d/james
/etc/rc5.d/S20james -> ../init.d/james
Assuming you installed James in /usr/local/james you should find all the
log files get stored in /usr/local/james/apps/james/logs
Yes, I run James as root; but only because I couldn't find an easy way
to run it as anything else. I did look at other options but it didn't
look easy. I do of course run iptables as a firewall to only expose
essential ports like 25 and 110.
Hope that helps.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org