[AWS] SSL questions

[Ronald Dauster]

> > 6) I am using Mandrake 9.2, with a security level of "higher"
> > (the one advised for using the machine as a server).
> > To run a server at ports 80 or 443, the program has to be started as 
> root.
> > (the question is not really AWS specific) Isn't running a server as 
> root
> > a security problem rather than a good thing ?
>
> > How can I do to be allowed to start my process on port 80
> > or 443 as a normal user ?
>
Maybe you can use the Linux firewall features to reroute port 80 or 443 
to a nonpriviledged port.
See the Jetty Servlet Engine FAQ at 
http://jetty.mortbay.org/jetty/faq?s=300-HTTP&t=user80
and the iptables documentation.

Depending on what you want to achieve, several other configurations come 
to mind:

- run a small 'trusted' AWS Application as root and use the hotplug 
feature to run the real
application.

- use another reverse proxy, like Apache (basically the same as above 
with Apache substituted
for the 'trusted' AWS app).  Of course, this makes no sense, if you want 
to use AWS as just
as an web server

- run the server chroot (can be combined with the other apporaches)

- just use another port, eg. 8080 and 8443, possibly using a redirect 
from another server if
you want to have a nice URL without port number for the home page.

But, please consider: It does not matter, security-wise, if the server 
runs as root or not, unless
the server has bugs that can be exploited by an attacker  (wich it 
probably does).  If an attacker
does break into your AWS application, does it matter if he immediately 
gains root access?
Often the answer is yes, sometimes it makes no difference (e. g. if the 
system runs only your
application.)

Hope this helps,
Ronald