authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口相关的知识,希望对你有一定的参考价值。
Start tomcat services using authbind this will allow user to start ports less than 1024 we do not need to redirect or iptables.
apt-get install authbind -y
To install Authbind software
chmod -R 755 /etc/authbind
group should be user group.
chown -Rh root:group /etc/authbind
After that run the below commands
cd /etc/authbind/byuid
As an example lets imagne user id is 2000 you can use your user id number
echo ‘0.0.0.0/0:1,1023‘ > 2000
That file should be own by user and group.
chown : 2000
chmod 700 2000
Add the below line in tomcat startup file $CATALINA_BASE/startup.sh
export JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
For Starting tomcat using Authbind service startup.sh
Comment the below line
#$CATALINA_HOME/bin/startup.sh
Add This End as the end of the file
AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c "
$AUTHBIND_COMMAND $CATALINA_HOME/bin/startup.sh
now you should be able to start tomcat services as user with less that 1024 ports.
方法二:
http://serverfault.com/questions/615422/tomcat-cannot-change-port-8080-to-80
方法三:
Running Tomcat on port 80 on Linux
By default Tomcat‘s HTTP connector listens on port 8080. Changing to port 80 in Linux environment can be quite a tricky issue, since by default listening on any port under 1024 require a privileged user, and for security considerations it is not recommended to run Tomcat with elevated permissions. This article discusses how to use authbind to achieve this; it also describes the way all this configuration can be automated for the sake of the creation of a script which can be used to initialize a freshly installed Linux instance. This is especially advantageous on Amazon EC2, where we can use this init-script to initialize a fresh instance just launched from an AMI; and indeed, for the sake of this article Amazon‘s "Amazon Linux Image 1.0" was used for testing. Please note that this is a CentOS 5-based linux distribution, for other distributions there are slight changes, like replacing "sudo yum install tomcat6" with "sudo apt-get install tomcat6" on Debian-based systems like Ubuntu.
In the end of the article, all the commands are summarized to facilitate one-step configuration.
Installing Tomcat
We’ll need the tomcat6 package to run Tomcat’s core components, as well as the tomcat6-admin-webapps package since we’ll use Tomcat’s Manager Application for application deployments, either thru Maven’s Cargo component or thru the web-browser. Since we’ll compile the authbind application from its sources, we’ll also need gcc, the GNU C Compiler package which contains all components to build an application on Linux. To install all this, grab a terminal and execute:
sudo yum -y install tomcat6 tomcat6-admin-webapps gcc
Usually a web server is started automatically on system boot. This can be achieved by
sudo /sbin/chkconfig --levels 235 tomcat6 on
Listening on ports<1024 in Linux with an unprivileged user
There are more options to achieve this:
- By using authbind which authorizes specific users to specific ports under 1024
- By using Jsvc, a set of libraries and applications for making Java applications run on UNIX more easily (Jsvc allows Tomcat application to perform some privileged operations as root (e.g. bind to a port < 1024), and then switch identity to a non-privileged user.)
- By configuring iptables to re-route the packets from port 80 to 8080
This article describes the authbind approach. But first, let‘s tell Tomcat to listen on port 80 instead of 8080.
Changing Tomcat‘s default HTTP port
The default HTTP port is defined in /etc/tomcat6/server.xml:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
We need to change this default port to 80 in server.xml. Either replace by hand, or automatically: to replace the occurrences of port=”8080” to port=”80”, execute the following script:
sudo sed -i ‘s/port\=\"8080\"/port\=\"80\"/‘ /etc/tomcat6/server.xml
The same for port 8443, which will be replaced with port 443:
sudo sed -i ‘s/port\=\"8443\"/port\=\"443\"/‘ /etc/tomcat6/server.xml
We‘ll start Tomcat with authbind. This can be achieved by changing Tomcat‘s init-script in /etc/init.d, replacing the line
TOMCAT_SCRIPT="/usr/sbin/tomcat6"
with
TOMCAT_SCRIPT="exec authbind --deep /usr/sbin/tomcat6"
Again, it can be automated like this:
sudo sed -i ‘s/TOMCAT_SCRIPT=\"\/usr\/sbin\/tomcat6\"/TOMCAT_SCRIPT=\"exec authbind --deep \/usr\/sbin\/tomcat6\"/‘ /etc/init.d/tomcat6
We have to tell Tomcat to use the IPv4 stack by default. This can be done by appending the line CATALINA_OPTS="-Djava.net.preferIPv4Stack=true" to /etc/tomcat6/tomcat6.conf:
sudo sed -i ‘$ a\CATALINA_OPTS=\"-Djava\.net\.preferIPv4Stack=true\"\n‘ /etc/tomcat6/tomcat6.conf
Installing and configuring authbind
Authbind is installed the usual way, with the help of gcc and make. Please note: For this step to succeed, the gcc package is needed. It is already installed with the command sudo yum install gccearlier, when tomcat was installed.
cd ~
fetch http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gz
tar xvzf authbind_2.1.1.tar.gz
cd authbind-2.1.1
make
sudo make install
Authbind is configured with some special files, for which we can assign our arbitrary permissions for the users we want to give access to. Since Tomcat is running with the Tomcat user, we‘ll tell authbind to allow connections to the HTTP port 80 and the HTTPS port 443 for this account:
sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 500 /etc/authbind/byport/443
sudo chown tomcat /etc/authbind/byport/443
For the changes to take effect, Tomcat has to be restarted:
sudo /etc/init.d/tomcat6 restart
To see if there is any error, the tomcat log can be consulted:
less -S /var/log/tomcat6/catalina.out
The whole script
Here is the whole script which automates all this:
sudo yum -y install tomcat6 tomcat6-admin-webapps gccReferences:http://en.wikipedia.org/wiki/Sedhttp://en.wikipedia.org/wiki/Grephttp://www.unix.com/unix-desktop-dummies-questions-answers/36604-append-line-last-line-file.htmlhttp://pwet.fr/man/linux/commandes/authbindhttp://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-boot-init-shutdown-sysv.html
sudo sed -i ‘s/port\=\"8080\"/port\=\"80\"/‘ /etc/tomcat6/server.xml
sudo sed -i ‘s/port\=\"8443\"/port\=\"443\"/‘ /etc/tomcat6/server.xml
sudo sed -i ‘s/TOMCAT_SCRIPT=\"\/usr\/sbin\/tomcat6\"/TOMCAT_SCRIPT=\"exec authbind --deep \/usr\/sbin\/tomcat6\"/‘ /etc/init.d/tomcat6
sudo sed -i ‘$ a\CATALINA_OPTS=\"-Djava\.net\.preferIPv4Stack=true\"\n‘ /etc/tomcat6/tomcat6.conf
cd ~
fetch http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gz
tar xvzf authbind_2.1.1.tar.gz
cd authbind-2.1.1
make
sudo make install
sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 500 /etc/authbind/byport/443
sudo chown tomcat /etc/authbind/byport/443
sudo /sbin/chkconfig --levels 235 tomcat6 on
sudo /etc/init.d/tomcat6 restart
cd ~
http://netthink.com/?p=362
以上是关于authbind start tomcat services as user with less that 1024 ports. linux常规用户使用tomcat的80端口的主要内容,如果未能解决你的问题,请参考以下文章
centos / amazon linux / rhel的authbind等效项
Apollo启动报Config service failed to start in 120 seconds! Please check ./service/apollo-ser
Apollo启动报Config service failed to start in 120 seconds! Please check ./service/apollo-ser