Versions Compared

Old Version 165

changes.mady.by.user Konstantin Kolinko

Saved on

compared with

New Version 166

changes.mady.by.user Konstantin Kolinko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fix formatting. Remove a broken link.

...

Another method is to use SetUID scripts (assuming you have the capability) to do this. Here's how I do it.

Create a file called foo.c with this content (replace "/path/startupscript" with the tomcat startup script):

Code Block
languagecpp
titlefoo.c
#include <unistd.h>
#include <stdlib.h>

...

Wiki Markup

int main( int argc, char \*argv\[\] ) \{
  if ( setuid( 0 ) != 0 ) {
    perror( "setuid() error" );
    return 1;
  }
  printf( "Starting ${APPLICATION}\n" );
  execl( "/bin/sh", "sh", "/path/startupscript", 0 );
  return

...

 0;

...


}

Run the following as root (replacing tmp with whatever you want the startup script to be and replacing XXXXX with whatever group you want to be able to start and stop tomcat:

Code Block
gcc tmp.c -o tmp
chown root:XXXXX tmp
chmod ugo-rwx tmp
chmod u+rwxs,g+rx tmp

Now members of the tomcat group should be able to start and stop tomcat. One caveat though, you need to ensure that that your tomcat startup script is not writable by anyone other than root, otherwise your users will be able to insert commands into the script and have them run as root (very big security hole).

...

An other way is to use Iptables to redirect Port 80 and 443 to user ports (>1024)

Code Block
/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT

...


/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443

...


/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT

...


/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080

...


/sbin/iptables-save or /etc/init.d/iptables save

If you'd like "localhost:443" to also redirect to "localhost:8443", you'll need this command as well:

Code Block
/sbin/iptables -t nat -A OUTPUT -p tcp -o lo -destination-port 443 -j REDIRECT --to-ports 8443

Also note that if you have existing rules defined in your chains, you will need to make sure that the rules above are not ruled-out by another rule when using -A to add the above rules. For example, if you have an existing FORWARD rule that says "-j REJECT" than adding the FORWARD rule after it will have no effect.

...

BSD-based Unix systems such as Mac OS X use a tool similar to iptables, called ipfw (for Internet Protocol Fire Wall). This tool is similar in that it watches all network packets go by, and can apply rules to affect those packets, such as "port-forwarding" from port 80 to some other port such as Tomcat's default 8080. The syntax of the rules is different than iptables, but the same idea. For more info, google and read the man page. Here is one possible rule to do the port-forwarding:

No Formatcode

sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in


...

Yet another way is to use authbind package (part of Debian- and CentOS based distributions) which allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user. The article at http://java-notes.com/index.php/installing-tomcat-with-http-port-80-on-linux discusses how to install and configure the authbind package with Tomcat 6.0 on Linux.

How to create native launchers for Tomcat

...