Results 1 to 4 of 4

Thread: Bind to port 80 without root

  1. #1

    Default Bind to port 80 without root

    I am trying to set up a tomcat server that binds to port 80 without having to run as root. It is currently set up, and starts automatically on boot.

    The issue is that the app running on Tomcat produces a lot of files that people download via FTP. These people need root to be able to download them, and that is a bad idea since they do not need otherwise need root.

    Is there a way to run on port 80 as a normal user(why is it required to run as root for well known ports?) or force tomcat to save those files as something other than root?

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: Bind to port 80 without root

    It's part of the Unix networking API. Only superuser processes can bind to ports under 1024. This is so that other machines have a little assurance that a privileged account is offering a service on a port below 1024, though that is less important now.

    Normally to run as a normal user and yet use a low port, the process starts off as root but drops privilege after opening the listening socket. This is what apache does, it runs as a non-root after starting. I don't know if tomcat can do this.

    Another way is to run tomcat on a high port and use apache to forward port 80 to it. It can also be done using an iptables forwarding rule.

  3. #3
    Join Date
    Jun 2008
    Location
    Frisco, TX
    Posts
    1,235

    Default Re: Bind to port 80 without root

    On Thu, 2009-09-17 at 17:56 +0000, vilanye wrote:
    > I am trying to set up a tomcat server that binds to port 80 without
    > having to run as root. It is currently set up, and starts automatically
    > on boot.
    >
    > The issue is that the app running on Tomcat produces a lot of files
    > that people download via FTP. These people need root to be able to
    > download them, and that is a bad idea since they do not need otherwise
    > need root.
    >
    > Is there a way to run on port 80 as a normal user(why is it required to
    > run as root for well known ports?) or force tomcat to save those files
    > as something other than root?


    Smart apps establish what they need as root and then drop privs to a
    normal user account.

    Also, role based mechanisms like selinux might allow you to do something
    like this.



  4. #4
    Join Date
    Oct 2008
    Location
    Manchester
    Posts
    128

    Default Re: Bind to port 80 without root

    Quote Originally Posted by ken_yap View Post
    It's part of the Unix networking API. Only superuser processes can bind to ports under 1024. This is so that other machines have a little assurance that a privileged account is offering a service on a port below 1024, though that is less important now.

    Normally to run as a normal user and yet use a low port, the process starts off as root but drops privilege after opening the listening socket. This is what apache does, it runs as a non-root after starting. I don't know if tomcat can do this.

    Another way is to run tomcat on a high port and use apache to forward port 80 to it. It can also be done using an iptables forwarding rule.
    Personally I would favour the iptables route. Have used this method many times with success.

    Also maybe worth considering that Apache can act as a proxy to tomcat via port 8009 and the mod_ajp and mod_proxy modules. This means that tomcat only needs to be listening on port 8009 and forces end users to go via Apache on port 80/443 to access your tomcat app.

    hth
    J
    Linux# makes_a_network_feel_good.sh

    Linux and BSD solutions

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •