I am trying to set up a tomcat server that binds to port 80 without having to run as root. It is currently set up, and starts automatically on boot.
The issue is that the app running on Tomcat produces a lot of files that people download via FTP. These people need root to be able to download them, and that is a bad idea since they do not need otherwise need root.
Is there a way to run on port 80 as a normal user(why is it required to run as root for well known ports?) or force tomcat to save those files as something other than root?
It’s part of the Unix networking API. Only superuser processes can bind to ports under 1024. This is so that other machines have a little assurance that a privileged account is offering a service on a port below 1024, though that is less important now.
Normally to run as a normal user and yet use a low port, the process starts off as root but drops privilege after opening the listening socket. This is what apache does, it runs as a non-root after starting. I don’t know if tomcat can do this.
Another way is to run tomcat on a high port and use apache to forward port 80 to it. It can also be done using an iptables forwarding rule.
On Thu, 2009-09-17 at 17:56 +0000, vilanye wrote:
> I am trying to set up a tomcat server that binds to port 80 without
> having to run as root. It is currently set up, and starts automatically
> on boot.
>
> The issue is that the app running on Tomcat produces a lot of files
> that people download via FTP. These people need root to be able to
> download them, and that is a bad idea since they do not need otherwise
> need root.
>
> Is there a way to run on port 80 as a normal user(why is it required to
> run as root for well known ports?) or force tomcat to save those files
> as something other than root?
Smart apps establish what they need as root and then drop privs to a
normal user account.
Also, role based mechanisms like selinux might allow you to do something
like this.
Personally I would favour the iptables route. Have used this method many times with success.
Also maybe worth considering that Apache can act as a proxy to tomcat via port 8009 and the mod_ajp and mod_proxy modules. This means that tomcat only needs to be listening on port 8009 and forces end users to go via Apache on port 80/443 to access your tomcat app.