authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口

Start tomcat services using authbind this will allow user to start ports less than 1024 we do not need to redirect or iptables.

apt-get install authbind -y

To install Authbind software

chmod -R 755 /etc/authbind

group should be user group.

chown -Rh root:group /etc/authbind

After that run the below commands

cd /etc/authbind/byuid

As an example lets imagne user id is 2000 you can use your user id number

echo ‘0.0.0.0/0:1,1023‘ > 2000

That file should be own by user and group.

chown : 2000

chmod 700 2000

Add the below line in tomcat startup file $CATALINA_BASE/startup.sh

export JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"

For Starting tomcat using Authbind service startup.sh

Comment the below line

#$CATALINA_HOME/bin/startup.sh

Add This End as the end of the file

AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c " 

$AUTHBIND_COMMAND $CATALINA_HOME/bin/startup.sh

now you should be able to start tomcat services as user with less that 1024 ports.

方法二:

http://serverfault.com/questions/615422/tomcat-cannot-change-port-8080-to-80

方法三: 

Running Tomcat on port 80 on Linux

Wednesday, 10 November 2010 18:40 | Author: Doma |   

By default Tomcat‘s HTTP connector listens on port 8080. Changing to port 80 in Linux environment can be quite a tricky issue, since by default listening on any port under 1024 require a privileged user, and for security considerations it is not recommended to run Tomcat with elevated permissions. This article discusses how to use authbind to achieve this; it also describes the way all this configuration can be automated for the sake of the creation of a script which can be used to initialize a freshly installed Linux instance. This is especially advantageous on Amazon EC2, where we can use this init-script to initialize a fresh instance just launched from an AMI; and indeed, for the sake of this article Amazon‘s "Amazon Linux Image 1.0" was used for testing. Please note that this is a CentOS 5-based linux distribution, for other distributions there are slight changes, like replacing "sudo yum install tomcat6" with "sudo apt-get install tomcat6" on Debian-based systems like Ubuntu.

In the end of the article, all the commands are summarized to facilitate one-step configuration.

Installing Tomcat

We’ll need the tomcat6 package to run Tomcat’s core components, as well as the tomcat6-admin-webapps package since we’ll use Tomcat’s Manager Application for application deployments, either thru Maven’s Cargo component or thru the web-browser. Since we’ll compile the authbind application from its sources, we’ll also need gcc, the GNU C Compiler package which contains all components to build an application on Linux. To install all this, grab a terminal and execute:

sudo yum -y install tomcat6 tomcat6-admin-webapps gcc

Usually a web server is started automatically on system boot. This can be achieved by

sudo /sbin/chkconfig --levels 235 tomcat6 on

Listening on ports<1024 in Linux with an unprivileged user

There are more options to achieve this:
-    By using authbind which authorizes specific users to specific ports under 1024
-    By using Jsvc, a set of libraries and applications for making Java applications run on UNIX more easily (Jsvc allows Tomcat application to perform some privileged operations as root (e.g. bind to a port < 1024), and then switch identity to a non-privileged user.)
-    By configuring iptables to re-route the packets from port 80 to 8080
This article describes the authbind approach. But first, let‘s tell Tomcat to listen on port 80 instead of 8080.

Changing Tomcat‘s default HTTP port

The default HTTP port is defined in /etc/tomcat6/server.xml:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />

We need to change this default port to 80 in server.xml. Either replace by hand, or automatically: to replace the occurrences of port=”8080” to port=”80”, execute the following script:

sudo sed -i ‘s/port\=\"8080\"/port\=\"80\"/‘ /etc/tomcat6/server.xml

The same for port 8443, which will be replaced with port 443:

sudo sed -i ‘s/port\=\"8443\"/port\=\"443\"/‘ /etc/tomcat6/server.xml

We‘ll start Tomcat with authbind. This can be achieved by changing Tomcat‘s init-script in /etc/init.d, replacing the line

TOMCAT_SCRIPT="/usr/sbin/tomcat6"

with

TOMCAT_SCRIPT="exec authbind --deep /usr/sbin/tomcat6"

Again, it can be automated like this:

sudo sed -i  ‘s/TOMCAT_SCRIPT=\"\/usr\/sbin\/tomcat6\"/TOMCAT_SCRIPT=\"exec authbind  --deep \/usr\/sbin\/tomcat6\"/‘ /etc/init.d/tomcat6

We have to tell Tomcat to use the IPv4 stack by default. This can be done by appending the line CATALINA_OPTS="-Djava.net.preferIPv4Stack=true" to /etc/tomcat6/tomcat6.conf:

sudo sed -i ‘$ a\CATALINA_OPTS=\"-Djava\.net\.preferIPv4Stack=true\"\n‘ /etc/tomcat6/tomcat6.conf

Installing and configuring authbind

Authbind is installed the usual way, with the help of gcc and make. Please note: For this step to succeed, the gcc package is needed. It is already installed with the command sudo yum install gccearlier, when tomcat was installed.

cd ~fetch http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gztar xvzf authbind_2.1.1.tar.gzcd authbind-2.1.1makesudo make install

Authbind is configured with some special files, for which we can assign our arbitrary permissions for the users we want to give access to. Since Tomcat is running with the Tomcat user, we‘ll tell authbind to allow connections to the HTTP port 80 and the HTTPS port 443 for this account:

sudo touch /etc/authbind/byport/80sudo chmod 500 /etc/authbind/byport/80sudo chown tomcat /etc/authbind/byport/80sudo touch /etc/authbind/byport/443sudo chmod 500 /etc/authbind/byport/443sudo chown tomcat /etc/authbind/byport/443

For the changes to take effect, Tomcat has to be restarted:

sudo /etc/init.d/tomcat6 restart

To see if there is any error, the tomcat log can be consulted:

less -S /var/log/tomcat6/catalina.out

The whole script

Here is the whole script which automates all this:

sudo yum -y install tomcat6 tomcat6-admin-webapps gcc sudo sed -i ‘s/port\=\"8080\"/port\=\"80\"/‘ /etc/tomcat6/server.xmlsudo sed -i ‘s/port\=\"8443\"/port\=\"443\"/‘ /etc/tomcat6/server.xmlsudo sed -i ‘s/TOMCAT_SCRIPT=\"\/usr\/sbin\/tomcat6\"/TOMCAT_SCRIPT=\"exec authbind --deep \/usr\/sbin\/tomcat6\"/‘ /etc/init.d/tomcat6sudo sed -i ‘$ a\CATALINA_OPTS=\"-Djava\.net\.preferIPv4Stack=true\"\n‘ /etc/tomcat6/tomcat6.confcd ~fetch http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gztar xvzf authbind_2.1.1.tar.gzcd authbind-2.1.1makesudo make install	sudo touch /etc/authbind/byport/80sudo chmod 500 /etc/authbind/byport/80sudo chown tomcat /etc/authbind/byport/80sudo touch /etc/authbind/byport/443sudo chmod 500 /etc/authbind/byport/443sudo chown tomcat /etc/authbind/byport/443sudo /sbin/chkconfig --levels 235 tomcat6 onsudo /etc/init.d/tomcat6 restartcd ~
References:
http://en.wikipedia.org/wiki/Sed
http://en.wikipedia.org/wiki/Grep
http://www.unix.com/unix-desktop-dummies-questions-answers/36604-append-line-last-line-file.html
http://pwet.fr/man/linux/commandes/authbind
http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-boot-init-shutdown-sysv.html
http://netthink.com/?p=362
时间: 2024-12-19 10:53:58

authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口的相关文章

开发利器_Jsvc.利用Jsvc实现Tomcat以普通用户运行监听80端口?

简单介绍: 说明: Jsvc主要用于非Windows操作系统上以非ROOT用户运行绑定到特权端口的Java服务器,专门由C编写的服务封装器,很容易结合SHELL脚本编写守护脚本.运行后以独立进程存在. 快速安装: yum -y install gcc autoconf cd /xm-workspace/xm-webs/xmcloud/tomcat8081/bin tar -zxvf commons-daemon-native.tar.gz  && cd commons-daemon-1.0

Jsvc安装,配置 常规用户使用tomcat的80端口

Jsvc安装 一.下载安装包,地址如下: http://commons.apache.org/proper/commonsdaemon/download_daemon.cgi 二.安装步骤,参考链接 http://commons.apache.org/proper/commons-daemon/jsvc.html 1. 解压文件commons-daemon-1.0.15-src.tar.gz,进入到目录commons-daemon-1.0.15-src/src/native/unix 2.安装以

How to run Tomcat without root privileges? 常规用户使用tomcat的80端口

How to run Tomcat without root privileges? 1. The best way is to use jsvc, available as part of the commons-daemon project. 2. One way is to put Apache httpd with mod_jk before your Tomcat servers, and use ports >=1024 in the Tomcat(s). However, if h

tomcat非root用户启动443或80端口

非root用户没有权限使用1024以内的端口,tomcat默认是root启动,如果用普通用户启动,必须是1024以上的端口,不能使80或443 如果一定用到80或是443所以只能用iptables端口转发 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 原文地址:https://www.cnblogs.com/wangdidi/p/11510986.html

linux系统非ROOT用户80端口不能启动tomcat问题的变通办法——通过Iptables端口转发

2010-07-17 13:21:42 org.apache.tomcat.util.digester.SetPropertiesRule begin 警告: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '0' did not find a matching property. 2010-07-17 13:21:42  org.apache.catalina.core.Ap

IIS7和Tomcat7整合,即IIS7和Tomcat共用80端口

IIS7和Tomcat7整合,即IIS7和Tomcat共用80端口 背景: 最近公司有一个项目要上线,需要用到iis和tomcat整合,共用80端口.由于公司的数据都非常重要,只通过端口映射到外网的80端口,其它端口都不开放. 我部署的环境是Win2008R2_x64, IIS7和JDK1.7.0_51,tomcat7.0.59 一.关闭Windows2008中IE增强的安全配置. 服务器管理器----配置IE ESC----管理员和用户都选择禁用 .如图. 二 .IIS安装 安装: 1.   

tomcat在ubuntu14下使用80端口

此文章只说明如何打开80端口具体原理方面这里不做过多探讨. 在ubuntu10以后的版本 ubuntu 禁用了普通用户使用1-1024端口.这样当我们直接更改tomcat的server.xml 中的端口是不能正常启用80端口的.在catalina.out 里我们会发现以下错误信息. SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-80"] SEVERE: Failed t

非root用户无法启动监听80端口的Tomcat

一.问题 网站绑定域名后直接通过域名访问使用的是80端口,因此tomcat须监听80端口.而为了安全起见tomcat一般不用root身份运行,因此需要以普通用户来运行监听80端口的root.此时就会启动失败,报没有权限,因为只有root身份才能监听1024以内的熟知端口. 二.解决 (以下未经验证) There are a few different solutions to work around this: Install and configure Apache or nginx as a

ubuntu下Tomcat绑定80端口

转载自:https://www.2cto.com/os/201102/84081.html 工作环境迁移到了Ubuntu,很多东西发生了变化,比如原先配置tomcat端口.只需要配置server.xml文件就可以了.但是在Ubuntu下,只修改了server.xml文件后发现无法访问到服务.起初以为是有别的进程占用了80端口,但是通过netstat -an | grep 80后并没有发现有进程在占用80,Google了一下,发现tomcat使用1023以下的端口时需要使用authbind来指定.