How to run Tomcat without root privileges?

1. The best way is to use jsvc, available as part of the commons-daemon project.

2. One way is to put Apache httpd with mod_jk before your Tomcat servers, and use ports >=1024 in the Tomcat(s). However, if httpd is not needed for some other reason, this is the most inefficient approach.

3. Another method is to use SetUID scripts (assuming you have the capability) to do this. Here's how I do it.

Create a file called foo.c with this content (replace "/path/startupscript" with the tomcat startup script):

#include <unistd.h> #include <stdlib.h>

int main( int argc, char *argv[] ) {

  • if ( setuid( 0 ) != 0 ) perror( "setuid() error" ); printf( "Starting ${APPLICATION}\n" ); execl( "/bin/sh", "sh", "/path/startupscript", 0 ); return 1;

}

Run the following as root (replacing tmp with whatever you want the startup script to be and replacing XXXXX with whatever group you want to be able to start and stop tomcat:

gcc tmp.c -o tmp chown root:XXXXX tmp chmod ugo-rwx tmp chmod u+rwxs,g+rx tmp

Now members of the tomcat group should be able to start and stop tomcat. One caveat though, you need to ensure that that your tomcat startup script is not writable by anyone other than root, otherwise your users will be able to insert commands into the script and have them run as root (very big security hole).

4. - A another way is to use Iptables to redirect Port 80 and 443 to user ports (>1024)

* /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT

* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443

* /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT

* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080

/sbin/iptables-save or /etc/init.d/iptables save

BSD-based Unix systems such as Mac OS X use a tool similar to iptables, called ipfw (for Internet Protocol Fire Wall). This tool is similar in that it watches all network packets go by, and can apply rules to affect those packets, such as "port-forwarding" from port 80 to some other port such as Tomcat's default 8080. The syntax of the rules is different than iptables, but the same idea. For more info, google and read the man page. Here is one possible rule to do the port-forwarding:

sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in

5. Yet another way is to use authbind (part of Debian- and CentOS based distributions) which allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user. The article at http://java-notes.com/index.php/installing-tomcat-with-http-port-80-on-linux discusses how to install and configure the authbind package with Tomcat 6.0 on Linux.

How to run Tomcat without root privileges? 常规用户使用tomcat的80端口的更多相关文章

  1. Jsvc安装,配置 常规用户使用tomcat的80端口

     Jsvc安装 一.下载安装包,地址如下: http://commons.apache.org/proper/commonsdaemon/download_daemon.cgi 二.安装步骤,参考链接 ...

  2. authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口

    Start tomcat services using authbind this will allow user to start ports less than 1024 we do not ne ...

  3. linux系统非ROOT用户80端口不能启动tomcat问题的变通办法——通过Iptables端口转发

    2010-07-17 13:21:42 org.apache.tomcat.util.digester.SetPropertiesRule begin 警告: [SetPropertiesRule]{ ...

  4. 详解nginx 配置多个tomcat共用80端口

    场景:项目1放在tomcat1中,项目2放在tomcat2中,两个tomcat放在同一台服务器上,需要共享80端口访问注意:这里和集群部署是不同的,集群部署是一个项目放在多个tomcat中.这里通过n ...

  5. 解决 Tomcat 无法绑定 80 端口的问题,以及 Tomcat 配置虚拟目录、二级域名等

    问题 今天安装完 Tomcat,安装时把 Tomcat 默认的 HTTP/1.1 Connector Port 从 8080 改为了 7080,启动 Tomcat,在浏览器中输入 Http://loc ...

  6. 如何以非 root 用户将应用绑定到 80 端口-ssh 篇

    有时想以普通用户身份让应用跑在80端口?? linux下1024以下端口只有root用户才能bind,那怎样才能以普通用户身份绑定到80端口呢? 参考: http://stackoverflow.co ...

  7. 如何自定义Tomcat Realm实现我们的用户认证需求

    导读 Tomcat对于J2EE或Java web开发者而言绝不陌生,但说到Realm,可能有些人不太清楚甚至没有听说过,那么到底什么是Realm?简单一句话就是:Realm是Tomcat中为web应用 ...

  8. Please read “Security” section of the manual to find out how to run mysqld as root!错误解决(转)

    2016-03-12T15:40:45.717762Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please ...

  9. 在系统下文件上传报错:The temporary upload location [/tmp/tomcat.xxx/work/Tomcat/localhost/ROOT] is not valid

    线上的系统中长时间不访问时不能上传文件了,出现如下错误: 2019-03-11 23:37:42.741 ERROR 66505 --- [nio-8081-exec-3] o.a.c.c.C.[.[ ...

随机推荐

  1. 算法:求 Huffuman树 构造费用

    问题背景:            Huffman树在编码中有着广泛的应用.在这里,我们只关心Huffman树的构造过程.            给出一列数{pi}={p0, p1, …, pn-1}, ...

  2. [HNOI 2013] 旅行 (数学)

    感觉此题难啊,数学还是太渣了,看了半天的题解才算明白了点儿. 题目大意 给一个长度为n且仅由1和-1组成的序列ai, i = 1, 2, ..., n,每个位置都有另一个值vi,要求用某种方案将序列划 ...

  3. bat文件调用shutdown命令不生效问题原因

    背景: 本人使用云桌面办公,但是用于登陆云桌面的终端运行卡顿,每次开机要20min才能登陆云桌面,所以: 1)在BIOS设置了定时开关,让终端提前开机 2)在系统上层,开机启动项增加一个bat文件(s ...

  4. Android-自定义PopupWindow

    PopupWindow在应用中应该是随处可见的,很常用到,比如在旧版本的微信当中就用到下拉的PopupWindow,那是自定义的.新版微信5.2的ActionBar,有人已经模仿了它,但微信具体是使用 ...

  5. RTX51 Tiny实时操作系统学习笔记—初识RTX51 Tiny

     一,RTX51 Tiny简单介绍    RTX51 Tiny是一种实时操作系统(RTOS),能够用它来建立多个任务(函数)同一时候运行的应用(从宏观上看是同一时候运行的,但从微观上看,还是独立运行的 ...

  6. Guzzle php resetful webservice farmework

    Guzzle is a PHP HTTP client that makes it easy to work with HTTP/1.1 and takes the pain out of consu ...

  7. Python之基础(二)

    1.内建函数enumerate friends = ['john', 'pat', 'gary', 'michael'] for i, name in enumerate(friends): prin ...

  8. 关于C#中的抽象类、抽象方法和虚方法的探究

    2016年的第一篇文章,容我先喷喷新年的情怀,..........,好了,喷的差不多了. 在面向对象中,我们需要对类进行横向和纵向的认识,不同的类有不同特色的成员,同时在不同类的继承中,子类获得父类的 ...

  9. Highcharts使用=====通过指定日期显示曲线

    1.说明: 利用HighStock显示曲线,在右上角的日期间隔选择好日期后,重新请求后台数据,重新加载曲线. 2.实现方法: 在HighStock的rangeSelector中有一个属性inputDa ...

  10. 使用angularjs中ng-repeat的$even与$odd属性时的注意事项

    JavaScript中数组的索引是从0开始的,因此我们再取奇偶的时候需要用!$even和!$odd来将$even和$odd的布尔值反转 下面给出一个实例: 使用$odd和$even来制作一个红蓝相间的 ...