zoukankan      html  css  js  c++  java
  • How to run Tomcat without root privileges? 常规用户使用tomcat的80端口

    How to run Tomcat without root privileges?

    1. The best way is to use jsvc, available as part of the commons-daemon project.


    2. One way is to put Apache httpd with mod_jk before your Tomcat servers, and use ports >=1024 in the Tomcat(s). However, if httpd is not needed for some other reason, this is the most inefficient approach.


    3. Another method is to use SetUID scripts (assuming you have the capability) to do this. Here's how I do it.

    Create a file called foo.c with this content (replace "/path/startupscript" with the tomcat startup script):

    #include <unistd.h> #include <stdlib.h>

    int main( int argc, char *argv[] ) {

    • if ( setuid( 0 ) != 0 ) perror( "setuid() error" ); printf( "Starting ${APPLICATION} " ); execl( "/bin/sh", "sh", "/path/startupscript", 0 ); return 1;

    }

    Run the following as root (replacing tmp with whatever you want the startup script to be and replacing XXXXX with whatever group you want to be able to start and stop tomcat:

    gcc tmp.c -o tmp chown root:XXXXX tmp chmod ugo-rwx tmp chmod u+rwxs,g+rx tmp

    Now members of the tomcat group should be able to start and stop tomcat. One caveat though, you need to ensure that that your tomcat startup script is not writable by anyone other than root, otherwise your users will be able to insert commands into the script and have them run as root (very big security hole).


    4. - A another way is to use Iptables to redirect Port 80 and 443 to user ports (>1024)

    * /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT

    * /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443

    * /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT

    * /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080

    /sbin/iptables-save or /etc/init.d/iptables save


    BSD-based Unix systems such as Mac OS X use a tool similar to iptables, called ipfw (for Internet Protocol Fire Wall). This tool is similar in that it watches all network packets go by, and can apply rules to affect those packets, such as "port-forwarding" from port 80 to some other port such as Tomcat's default 8080. The syntax of the rules is different than iptables, but the same idea. For more info, google and read the man page. Here is one possible rule to do the port-forwarding:

    sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in

    5. Yet another way is to use authbind (part of Debian- and CentOS based distributions) which allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user. The article at http://java-notes.com/index.php/installing-tomcat-with-http-port-80-on-linux discusses how to install and configure the authbind package with Tomcat 6.0 on Linux.

     

  • 相关阅读:
    Django之ModelForm组件
    Hibernate的继承映射
    hibernate的检索策略
    Hibernate的多对多映射关系
    Hibernate中的一对一映射关系
    Hibernate中双向的一对多关系
    Hibernate中的映射关系(一对多)
    Hibernate的映射组成关系
    Hibernate的大对象映射
    hibernate的日期映射
  • 原文地址:https://www.cnblogs.com/timssd/p/5628175.html
Copyright © 2011-2022 走看看