How to run Tomcat without root privileges?

1. The best way is to use jsvc, available as part of the commons-daemon project.

2. One way is to put Apache httpd with mod_jk before your Tomcat servers, and use ports >=1024 in the Tomcat(s). However, if httpd is not needed for some other reason, this is the most inefficient approach.

3. Another method is to use SetUID scripts (assuming you have the capability) to do this. Here's how I do it.

Create a file called foo.c with this content (replace "/path/startupscript" with the tomcat startup script):

#include <unistd.h> #include <stdlib.h>

int main( int argc, char *argv[] ) {

  • if ( setuid( 0 ) != 0 ) perror( "setuid() error" ); printf( "Starting ${APPLICATION}\n" ); execl( "/bin/sh", "sh", "/path/startupscript", 0 ); return 1;

}

Run the following as root (replacing tmp with whatever you want the startup script to be and replacing XXXXX with whatever group you want to be able to start and stop tomcat:

gcc tmp.c -o tmp chown root:XXXXX tmp chmod ugo-rwx tmp chmod u+rwxs,g+rx tmp

Now members of the tomcat group should be able to start and stop tomcat. One caveat though, you need to ensure that that your tomcat startup script is not writable by anyone other than root, otherwise your users will be able to insert commands into the script and have them run as root (very big security hole).

4. - A another way is to use Iptables to redirect Port 80 and 443 to user ports (>1024)

* /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT

* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443

* /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT

* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080

/sbin/iptables-save or /etc/init.d/iptables save

BSD-based Unix systems such as Mac OS X use a tool similar to iptables, called ipfw (for Internet Protocol Fire Wall). This tool is similar in that it watches all network packets go by, and can apply rules to affect those packets, such as "port-forwarding" from port 80 to some other port such as Tomcat's default 8080. The syntax of the rules is different than iptables, but the same idea. For more info, google and read the man page. Here is one possible rule to do the port-forwarding:

sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in

5. Yet another way is to use authbind (part of Debian- and CentOS based distributions) which allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user. The article at http://java-notes.com/index.php/installing-tomcat-with-http-port-80-on-linux discusses how to install and configure the authbind package with Tomcat 6.0 on Linux.

How to run Tomcat without root privileges? 常规用户使用tomcat的80端口的更多相关文章

  1. Jsvc安装,配置 常规用户使用tomcat的80端口

     Jsvc安装 一.下载安装包,地址如下: http://commons.apache.org/proper/commonsdaemon/download_daemon.cgi 二.安装步骤,参考链接 ...

  2. authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口

    Start tomcat services using authbind this will allow user to start ports less than 1024 we do not ne ...

  3. linux系统非ROOT用户80端口不能启动tomcat问题的变通办法——通过Iptables端口转发

    2010-07-17 13:21:42 org.apache.tomcat.util.digester.SetPropertiesRule begin 警告: [SetPropertiesRule]{ ...

  4. 详解nginx 配置多个tomcat共用80端口

    场景:项目1放在tomcat1中,项目2放在tomcat2中,两个tomcat放在同一台服务器上,需要共享80端口访问注意:这里和集群部署是不同的,集群部署是一个项目放在多个tomcat中.这里通过n ...

  5. 解决 Tomcat 无法绑定 80 端口的问题,以及 Tomcat 配置虚拟目录、二级域名等

    问题 今天安装完 Tomcat,安装时把 Tomcat 默认的 HTTP/1.1 Connector Port 从 8080 改为了 7080,启动 Tomcat,在浏览器中输入 Http://loc ...

  6. 如何以非 root 用户将应用绑定到 80 端口-ssh 篇

    有时想以普通用户身份让应用跑在80端口?? linux下1024以下端口只有root用户才能bind,那怎样才能以普通用户身份绑定到80端口呢? 参考: http://stackoverflow.co ...

  7. 如何自定义Tomcat Realm实现我们的用户认证需求

    导读 Tomcat对于J2EE或Java web开发者而言绝不陌生,但说到Realm,可能有些人不太清楚甚至没有听说过,那么到底什么是Realm?简单一句话就是:Realm是Tomcat中为web应用 ...

  8. Please read “Security” section of the manual to find out how to run mysqld as root!错误解决(转)

    2016-03-12T15:40:45.717762Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please ...

  9. 在系统下文件上传报错:The temporary upload location [/tmp/tomcat.xxx/work/Tomcat/localhost/ROOT] is not valid

    线上的系统中长时间不访问时不能上传文件了,出现如下错误: 2019-03-11 23:37:42.741 ERROR 66505 --- [nio-8081-exec-3] o.a.c.c.C.[.[ ...

随机推荐

  1. 【转】在ASP.NET MVC中,使用Bundle来打包压缩js和css

    在ASP.NET MVC4中(在WebForm中应该也有),有一个叫做Bundle的东西,它用来将js和css进行压缩(多个文件可以打包成一个文件),并且可以区分调试和非调试,在调试时不进行压缩,以原 ...

  2. 一、spark 数据类型(Data Types)

    Data Types - MLlib(数据类型)       MLlib支持存储在单机上的局部向量和局部矩阵,也可以支持通过一个或多个RDD(可伸缩数据集)表示的分布式矩阵.局部向量和局部矩阵是用作公 ...

  3. C++编程规范之12:懂得何时和如何进行并发性编程

    摘要: 如果应用程序使用了多个线程或者进程,应该知道如何尽量减少共享对象,以及如何安全地共享必须共享的对象. 在多线程和并发编程中最重要的是要避免死锁.活锁和恶性的竞争条件. 在编写多线程程序时要注意 ...

  4. 文件上传插件Uploadify在Struts2中的应用,完整详细实例

    —>最近由于项目需要使用到一个上传插件,在网上发现uploadify挺不错,所以决定使用它,但是官网文档和例子是php的,而项目是SSI框架的,所以自己对uploadify在struts2中的使 ...

  5. 使用 AtomicInteger 进行计数(java多线程优化)

    通常,在我们实现多线程使用的计数器或随机数生成器时,会使用锁来保护共享变量.这样做的弊端是如果锁竞争的太厉害,会损害吞吐量,因为竞争的同步非常昂贵. volatile 变量虽然可以使用比同步更低的成本 ...

  6. C语言--对数组地址的解析

    在C编程中,我们进程会用到数组,这看起来很简单,因为,数组就是存储相同类型元素的集合嘛,不过,当你还没考虑到数组的地址问题时,一切都是简单的,如果你接触了数组中的地址概念,也许你会改变你的想法. 下面 ...

  7. 获取当前位置信息-ios

    locationManager= [[CLLocationManager alloc] init];//位置管理器 locationManager.desiredAccuracy = kCLLocat ...

  8. 将16进制颜色转换成UIColor-ios

    -(UIColor *) hexStringToColor: (NSString *) stringToConvert { NSString *cString = [[stringToConvert ...

  9. 一个安全测试的CheckList

    转自:http://hi.baidu.com/dontcry/item/90c2bc466558c217886d1075 不登录系统,直接输入登录后的页面的URL是否可以访问: 不登录系统,直接输入下 ...

  10. Hadoop基本概念

    一个分布式系统基础架构,由Apache基金会开发.用户可以在不了解分布式底层细节的情况下,开发分布式程序.充分利用集群的威力高速运算和存储.Hadoop实现了一个分布式文件系统(Hadoop Dist ...