You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rob Tanner <rt...@linfield.edu> on 2007/10/10 17:19:46 UTC
How do I run Tomcat as a non-root user?
Hi,
How do I run Tomcat as a non-root user? I need to be able to bind to
ports 80 & 443 which are privileged ports. I know that with straight
Apache the user that it runs as is configured in httpd.conf. It starts
up as root, binds to the ports and then drops its privileges. However,
I'm running Tomcat as stand-alone. So, is there some mechanism in
Tomcat to accomplish the same thing?
Thanks,
Rob
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I run Tomcat as a non-root user?
Posted by Rob Tanner <rt...@linfield.edu>.
Marcus,
I was able to resolve the make by doing the last compile step manually.
As far as why a 32 bit JVM or a 64 bit machine, that only applies to my
development system (which is my desktop). Our production servers are 32
bit systems. The problem with a 64 bit JVM on my development box is
that MyEclipse (unless it's changed and I'm unaware) does not behave
dependably in 64 bit. Using 32 bit, my Java development is rock-solid,
so why change.
-- Rob
Markus Schönhaber said the following on 10/10/2007 02:01 PM:
> Rob Tanner wrote:
>
>
>> I downloaded it and also applied the patch to eliminate the "Cannot
>> execute JSVC executor process" error.
>>
>
> Why didn't you use the sources you already had?
>
>
>> But here's the catch, and maybe
>> you know the answer. The machine and the OS (Fedora) are 64bit but the
>> Java runtime is 32bit. In order for jsvc to make use of the shared
>> libs, it has to be 32 bit as well. So, I build it like this:
>>
> [...]
>
>> And I end up with an ELF 64-bit LSB executable that gets an immediate
>> segmentation fault.
>>
>> Any ideas how to build it right.
>>
>
> You could set up a cross-compiler/cross-toolchain that is able to create
> 32-bit binaries or compile it on a 32-bit machine. Either way, you'll
> have to install the 32-bit versions of the dependent libraries as well
> (or create a static binary).
>
> But first and foremost: what's the point in running Tomcat in a 32-bit
> JVM on 64-bit machine?
> Use a 64-bit JVM and save yourself a lot of trouble.
>
> Regards
> mks
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: How do I run Tomcat as a non-root user?
Posted by Markus Schönhaber <ma...@schoenhaber.de>.
Rob Tanner wrote:
> I downloaded it and also applied the patch to eliminate the "Cannot
> execute JSVC executor process" error.
Why didn't you use the sources you already had?
> But here's the catch, and maybe
> you know the answer. The machine and the OS (Fedora) are 64bit but the
> Java runtime is 32bit. In order for jsvc to make use of the shared
> libs, it has to be 32 bit as well. So, I build it like this:
[...]
> And I end up with an ELF 64-bit LSB executable that gets an immediate
> segmentation fault.
>
> Any ideas how to build it right.
You could set up a cross-compiler/cross-toolchain that is able to create
32-bit binaries or compile it on a 32-bit machine. Either way, you'll
have to install the 32-bit versions of the dependent libraries as well
(or create a static binary).
But first and foremost: what's the point in running Tomcat in a 32-bit
JVM on 64-bit machine?
Use a 64-bit JVM and save yourself a lot of trouble.
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I run Tomcat as a non-root user?
Posted by Rob Tanner <rt...@linfield.edu>.
Marcus,
I downloaded it and also applied the patch to eliminate the "Cannot
execute JSVC executor process" error. But here's the catch, and maybe
you know the answer. The machine and the OS (Fedora) are 64bit but the
Java runtime is 32bit. In order for jsvc to make use of the shared
libs, it has to be 32 bit as well. So, I build it like this:
CFLAGS=-m32 CPPFLAGS=-m32 CCASFLAGS=-m32 LDFLAGS="-L/usr/lib -L/lib" \
./configure --build=i686-pc-linux-gnu \
But at the end of the make, I get
gcc -L/usr/lib -L/lib -ldl -lpthread jsvc-unix.o libservice.a -o ../jsvc
/usr/bin/ld: skipping incompatible /usr/lib/libdl.so when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/libdl.a when searching for -ldl
/usr/bin/ld: skipping incompatible /usr/lib/libpthread.so when searching
for -lpthread
/usr/bin/ld: skipping incompatible /usr/lib/libpthread.a when searching
for -lpthread
/usr/bin/ld: skipping incompatible /usr/lib/libc.so when searching for -lc
/usr/bin/ld: skipping incompatible /usr/lib/libc.a when searching for -lc
/usr/bin/ld: warning: i386 architecture of input file `jsvc-unix.o' is
incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(arguments.o)' is incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(debug.o)' is incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(help.o)' is incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(home.o)' is incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(java.o)' is incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(location.o)' is incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(replace.o)' is incompatible with i386:x86-64 output
/usr/bin/ld: warning: i386 architecture of input file
`libservice.a(dso-dlfcn.o)' is incompatible with i386:x86-64 output
And I end up with an ELF 64-bit LSB executable that gets an immediate
segmentation fault.
Any ideas how to build it right.
Thanks,
Rob
Markus Schönhaber said the following on 10/10/2007 09:11 AM:
> Rob Tanner schrieb:
>
>
>> How do I run Tomcat as a non-root user? I need to be able to bind to
>> ports 80 & 443 which are privileged ports. I know that with straight
>> Apache the user that it runs as is configured in httpd.conf. It starts
>> up as root, binds to the ports and then drops its privileges. However,
>> I'm running Tomcat as stand-alone. So, is there some mechanism in
>> Tomcat to accomplish the same thing?
>>
>
> Yes, jsvc[1]. The sources should be in the bin/ directory of your Tomcat
> installation.
>
> Regards
> mks
>
> [1] http://commons.apache.org/daemon/jsvc.html
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: How do I run Tomcat as a non-root user?
Posted by Markus Schönhaber <ma...@schoenhaber.de>.
Rob Tanner schrieb:
> How do I run Tomcat as a non-root user? I need to be able to bind to
> ports 80 & 443 which are privileged ports. I know that with straight
> Apache the user that it runs as is configured in httpd.conf. It starts
> up as root, binds to the ports and then drops its privileges. However,
> I'm running Tomcat as stand-alone. So, is there some mechanism in
> Tomcat to accomplish the same thing?
Yes, jsvc[1]. The sources should be in the bin/ directory of your Tomcat
installation.
Regards
mks
[1] http://commons.apache.org/daemon/jsvc.html
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I run Tomcat as a non-root user?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rob,
Rob Tanner wrote:
> How do I run Tomcat as a non-root user? I need to be able to bind to
> ports 80 & 443 which are privileged ports. I know that with straight
> Apache the user that it runs as is configured in httpd.conf. It starts
> up as root, binds to the ports and then drops its privileges. However,
> I'm running Tomcat as stand-alone. So, is there some mechanism in
> Tomcat to accomplish the same thing?
RTFM / GIYF / whatever:
http://www.owasp.org/index.php/Securing_tomcat#Using_Port_80
http://tomcat.apache.org/faq/security.html#root
http://tomcat.apache.org/faq/security.html#jsvcExample
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHDPm29CaO5/Lv0PARAvtjAJ4qQPeeudYegliNPkYfwFepUR125QCfXPcj
o+bx2mILikPxmKOpaPgxazM=
=gCaG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I run Tomcat as a non-root user?
Posted by Alexey Solofnenko <A....@mdl.com>.
Look there:
http://wiki.apache.org/tomcat/HowTo#head-18d1c3f3fa702a1be769340784515eecce6e0ac9
.
- Alexey.
Rob Tanner wrote:
> Hi,
>
> How do I run Tomcat as a non-root user? I need to be able to bind to
> ports 80 & 443 which are privileged ports. I know that with straight
> Apache the user that it runs as is configured in httpd.conf. It
> starts up as root, binds to the ports and then drops its privileges.
> However, I'm running Tomcat as stand-alone. So, is there some
> mechanism in Tomcat to accomplish the same thing?
>
> Thanks,
> Rob
>
>
>
--
------------------------------------------------------------------------
Alexey N. Solofnenko <http://trelony.cjb.net/>
Pleasant Hill, CA (GMT-8 usually)