How to run Tomcat without root privileges? 常规用户使用tomcat的80端口

How to run Tomcat without root privileges?

1. The best way is to use jsvc, available as part of the commons-daemon project.



2. One way is to put Apache httpd with mod_jk before your Tomcat servers, and use ports >=1024 in the Tomcat(s). However, if httpd is not needed for some other reason, this is the most inefficient approach.



3. Another method is to use SetUID scripts (assuming you have the capability) to do this. Here‘s how I do it.

Create a file called foo.c with this content (replace "/path/startupscript" with the tomcat startup script):

#include <unistd.h> #include <stdlib.h>

int main( int argc, char *argv[] ) {

  • if ( setuid( 0 ) != 0 ) perror( "setuid() error" ); printf( "Starting ${APPLICATION}\n" ); execl( "/bin/sh", "sh", "/path/startupscript", 0 ); return 1;

}

Run the following as root (replacing tmp with whatever you want the startup script to be and replacing XXXXX with whatever group you want to be able to start and stop tomcat:

gcc tmp.c -o tmp chown root:XXXXX tmp chmod ugo-rwx tmp chmod u+rwxs,g+rx tmp

Now members of the tomcat group should be able to start and stop tomcat. One caveat though, you need to ensure that that your tomcat startup script is not writable by anyone other than root, otherwise your users will be able to insert commands into the script and have them run as root (very big security hole).



4. - A another way is to use Iptables to redirect Port 80 and 443 to user ports (>1024)

* /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT

* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443

* /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT

* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080

/sbin/iptables-save or /etc/init.d/iptables save



BSD-based Unix systems such as Mac OS X use a tool similar to iptables, called ipfw (for Internet Protocol Fire Wall). This tool is similar in that it watches all network packets go by, and can apply rules to affect those packets, such as "port-forwarding" from port 80 to some other port such as Tomcat‘s default 8080. The syntax of the rules is different than iptables, but the same idea. For more info, google and read the man page. Here is one possible rule to do the port-forwarding:

sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in


5. Yet another way is to use authbind (part of Debian- and CentOS based distributions) which allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user. The article at http://java-notes.com/index.php/installing-tomcat-with-http-port-80-on-linux discusses how to install and configure the authbind package with Tomcat 6.0 on Linux.

时间: 2024-12-07 04:32:58

How to run Tomcat without root privileges? 常规用户使用tomcat的80端口的相关文章

Jsvc安装,配置 常规用户使用tomcat的80端口

Jsvc安装 一.下载安装包,地址如下: http://commons.apache.org/proper/commonsdaemon/download_daemon.cgi 二.安装步骤,参考链接 http://commons.apache.org/proper/commons-daemon/jsvc.html 1. 解压文件commons-daemon-1.0.15-src.tar.gz,进入到目录commons-daemon-1.0.15-src/src/native/unix 2.安装以

开发利器_Jsvc.利用Jsvc实现Tomcat以普通用户运行监听80端口?

简单介绍: 说明: Jsvc主要用于非Windows操作系统上以非ROOT用户运行绑定到特权端口的Java服务器,专门由C编写的服务封装器,很容易结合SHELL脚本编写守护脚本.运行后以独立进程存在. 快速安装: yum -y install gcc autoconf cd /xm-workspace/xm-webs/xmcloud/tomcat8081/bin tar -zxvf commons-daemon-native.tar.gz  && cd commons-daemon-1.0

authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口

Start tomcat services using authbind this will allow user to start ports less than 1024 we do not need to redirect or iptables. apt-get install authbind -y To install Authbind software chmod -R 755 /etc/authbind group should be user group. chown -Rh

tomcat非root用户启动443或80端口

非root用户没有权限使用1024以内的端口,tomcat默认是root启动,如果用普通用户启动,必须是1024以上的端口,不能使80或443 如果一定用到80或是443所以只能用iptables端口转发 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 原文地址:https://www.cnblogs.com/wangdidi/p/11510986.html

linux系统非ROOT用户80端口不能启动tomcat问题的变通办法——通过Iptables端口转发

2010-07-17 13:21:42 org.apache.tomcat.util.digester.SetPropertiesRule begin 警告: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '0' did not find a matching property. 2010-07-17 13:21:42  org.apache.catalina.core.Ap

如何自定义Tomcat Realm实现我们的用户认证需求

目录 1. 什么是Realm? 2. 如何配置使用Tomcat自带的几种Realm? 3. 如何配置使用我们自定义的Realm? 3.1 实现org.apache.catalina.Realm接口 3.2 将Realm编译成.class文件 3.3 在MBeans描述符里声明你的realm 3.4 将Realm编译后的文件打成jar包 3.5 像配置标准realm一样在server.xml文件中声明你的realm 4. Realm的优点. 正文 1. 什么是Realm? Realm,中文可以翻译

非root用户无法启动监听80端口的Tomcat

一.问题 网站绑定域名后直接通过域名访问使用的是80端口,因此tomcat须监听80端口.而为了安全起见tomcat一般不用root身份运行,因此需要以普通用户来运行监听80端口的root.此时就会启动失败,报没有权限,因为只有root身份才能监听1024以内的熟知端口. 二.解决 (以下未经验证) There are a few different solutions to work around this: Install and configure Apache or nginx as a

Linux联接vsftpd:500 OOPS: vsftpd: refusing to run with writable root inside chroot ()错误

当我们限定了用户不能跳出其主目录之后,使用该用户登录FTP时往往会遇到这个错误: [html] view plaincopy 500 OOPS: vsftpd: refusing to run with writable root inside chroot () 这个问题发生在最新的这是由于下面的更新造成的: [html] view plaincopy - Add stronger checks for the configuration error of running with a wri

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

Ubuntu 12.04 64bit系统下安装的vsftpd,在登陆时提示500 OOPS: vsftpd: refusing to run with writable root inside chroot().根本原因在于,从vsftpd_2.3.5版开始,取消了根目录的可写权限.因此,网上的普遍解决方案是以下两种: 方案一 $ chmod a-w /vaf/ftp 方案二 $ vim /etc/vsftpd.conf add the following allow_writeable_chr