CopyDisable

Friday 7 June 2013

Running tomcat as a normal user on port 80

I had to run tomcat on port 80 as a non root user, but problem was that the non-root users can not bind to port numbers lower than 1024 on Linux. So I was not able to start tomcat as a normal user after changing the HTTP connector port to 80. Normally webservers like Apache runs a process as root user which binds it to port 80, other processes of Apache runs as normal www-data user. The way around was to use authbind linux utility (bind sockets to privileged ports without root) for this purpose.

For this example I am using Ubuntu 12.04 and Tomcat 7 and Oracle jdk1.6.0_45.

I will create one user tomcat and I will run tomcat server using that user.

Creating the user tomcat:

useradd  -d /app/tomcat tomcat

I have deployed tomcat on /app/tomcat directory and created the user using /app/tomcat as home directory (it is not necessary to create the user with the tomcat directory as home directory, but make sure that the user has read/write access)

Change ownership of the /app/tomcat  folder

chown –R tomcat:tomcat /app/tomcat 

Now install authbind

apt-get install authbind

Access  to low numbered ports is controlled by permissions and contents of files in a configuration area, /etc/authbind

I will create an empty file 80 inside the byport folder inside the authbind config directory /etc/authbind. Now I will give permission who can access this 80 file as well as port 80.

touch /etc/authbind/byport/80
chmod 500 /etc/authbind/byport/80
chown tomcat /etc/authbind/byport/80

As I want to run tomcat server as tomcat user on port 80, so I gave tomcat user access to this 80 file.

Now I am going to add the JVM option in catalina.sh file using the JAVA_OPTS

-Djava.net.preferIPv4Stack=true

image

IPv6 stack is preferred by default on a dual-stack machine, as our preference is IPv4, so this setting is done through the option -Djava.net.preferIPv4Stack=true .

Now I will write the init.d script for tomcat, using the authbind to run tomcat server as non-root tomcat user.

/etc/init.d/tomcat file:

 

 

CATALINA_HOME="/app/tomcat"

case "$1" in
start)
tomcat_id=$(ps -ef | grep $CATALINA_HOME | grep -v grep | awk '{print $2}' | head -n 1)
if [ -n "$tomcat_id" ]
then
   echo "Tomcat is already Running with PID:" $tomcat_id
else
   echo "Starting tomcat from $CATALINA_HOME"
   sudo -u tomcat authbind --deep $CATALINA_HOME/bin/startup.sh
fi
;;
stop)
tomcat_id=$(ps -ef | grep $CATALINA_HOME | grep -v grep | awk '{print $2}' | head -n 1)
if [ -n "$tomcat_id" ]
then
   echo "Stopping tomcat from $CATALINA_HOME"
   sudo -u tomcat authbind --deep $CATALINA_HOME/bin/shutdown.sh
else
   echo "Tomcat is not running"
fi
;;
status)
        tomcat_id=$(ps -ef | grep $CATALINA_HOME | grep -v grep | awk '{print $2}' | head -n 1)
        if [ -n "$tomcat_id" ]
        then
                echo "Tomcat is Running with PID:" $tomcat_id
        else
                echo "Tomcat is not Running......."
        fi
;;
*)
echo $"usage: $0 {start|stop|status}"
exit 3
;;
esac

 

We can start and stop tomcat using:

service tomcat start

service tomcat stop

To auto start tomcat at system reboot run as root:

update-rc.d tomcat defaults

That’s it Smile , also we can use the same process to run glassfish server as non-root user on port 80.