...
Another method is to use SetUID scripts (assuming you have the capability) to do this. Here's how I do it.
Create a file called foo.c
with this content (replace "/path/startupscript" with the tomcat startup script):
Code Block | ||||
---|---|---|---|---|
| ||||
#include <unistd.h> #include <stdlib.h> |
...
Wiki Markup |
---|
int main( int argc, char \*argv\[\] ) \{ if ( setuid( 0 ) != 0 ) { perror( "setuid() error" ); return 1; } printf( "Starting ${APPLICATION}\n" ); execl( "/bin/sh", "sh", "/path/startupscript", 0 ); return |
...
0; |
...
} |
Run the following as root (replacing tmp with whatever you want the startup script to be and replacing XXXXX with whatever group you want to be able to start and stop tomcat:
Code Block |
---|
gcc tmp.c -o tmp chown root:XXXXX tmp chmod ugo-rwx tmp chmod u+rwxs,g+rx tmp |
Now members of the tomcat group should be able to start and stop tomcat. One caveat though, you need to ensure that that your tomcat startup script is not writable by anyone other than root, otherwise your users will be able to insert commands into the script and have them run as root (very big security hole).
...
An other way is to use Iptables to redirect Port 80 and 443 to user ports (>1024)
Code Block |
---|
/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT |
...
/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443 |
...
/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT |
...
/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080 |
...
/sbin/iptables-save or /etc/init.d/iptables save |
If you'd like "localhost:443" to also redirect to "localhost:8443", you'll need this command as well:
Code Block |
---|
/sbin/iptables -t nat -A OUTPUT -p tcp -o lo -destination-port 443 -j REDIRECT --to-ports 8443 |
Also note that if you have existing rules defined in your chains, you will need to make sure that the rules above are not ruled-out by another rule when using -A to add the above rules. For example, if you have an existing FORWARD rule that says "-j REJECT" than adding the FORWARD rule after it will have no effect.
...
BSD-based Unix systems such as Mac OS X use a tool similar to iptables, called ipfw (for Internet Protocol Fire Wall). This tool is similar in that it watches all network packets go by, and can apply rules to affect those packets, such as "port-forwarding" from port 80 to some other port such as Tomcat's default 8080. The syntax of the rules is different than iptables, but the same idea. For more info, google and read the man page. Here is one possible rule to do the port-forwarding:
No Formatcode |
---|
sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in |
...
Yet another way is to use authbind package (part of Debian- and CentOS based distributions) which allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user. The article at http://java-notes.com/index.php/installing-tomcat-with-http-port-80-on-linux discusses how to install and configure the authbind package with Tomcat 6.0 on Linux.
How to create native launchers for Tomcat
...