You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Cheltenham, Chris" <cc...@philasd.org> on 2018/02/23 17:36:43 UTC
Running as user tomcat
Hello All,
I am trying to run tomcat as a non root user.
It will start as the tomcat user but it will not bind to connector 443
unless it starts as root.
Does anyone know why?
23-Feb-2018 09:14:59.140 SEVERE [main]
org.apache.catalina.core.StandardService.initInternal Failed to initialize
connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-443]]
I'm using java 9.0.4 and Tomcat 8.5.28
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
RE: Running as user tomcat
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Peter@Kreuser-Online [mailto:logo@kreuser.name]
> Subject: Re: Running as user tomcat
> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
<cc...@philasd.org>:
> > I am trying to run tomcat as a non root user.
> > It will start as the tomcat user but it will not bind to connector 443
unless it starts as root.
> Unix will not let you open ports below 1024 as non-root user!
> You may use a proxy in front of it or maybe use iptables to be able to use
standard ports AND user tomcat.
And definitely read the wiki entry about this, before doing anything else:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
RE: Running as user tomcat
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
YES! Thank you.
I forgot about that.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Peter@Kreuser-Online [mailto:logo@kreuser.name]
Sent: Friday, February 23, 2018 12:53 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Running as user tomcat
Hi Chris,
> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
> <cc...@philasd.org>:
>
> Hello All,
>
> I am trying to run tomcat as a non root user.
>
> It will start as the tomcat user but it will not bind to connector 443
> unless it starts as root.
>
> Does anyone know why?
Unix will not let you open ports below 1024 as non-root user!
You may use a proxy in front of it or maybe use iptables to be able to use
standard ports AND user tomcat.
> 23-Feb-2018 09:14:59.140 SEVERE [main]
> org.apache.catalina.core.StandardService.initInternal Failed to initialize
> connector [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-443]]
>
> I’m using java 9.0.4 and Tomcat 8.5.28
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Running as user tomcat [authbind]
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Hi.
On 26.02.2018 15:59, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Coty and André,
>
> On 2/23/18 6:58 PM, Coty Sutherland wrote:
>> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
>> I've been planning to push a solution for that, just haven't gotten
>> around to it yet.
>>
>> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
>> <aw...@ice-sa.com> wrote:
>>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>>
>>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>>
>>>>>
>>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>>> <cc...@philasd.org>:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am trying to run tomcat as a non root user.
>>>>>>
>>>>>> It will start as the tomcat user but it will not bind to
>>>>>> connector 443 unless it starts as root.
>>>>>>
>>>>>> Does anyone know why?
>>>>>
>>>>>
>>>>> Unix will not let you open ports below 1024 as non-root
>>>>> user!
>>>>>
>>>>> You may use a proxy in front of it or maybe use iptables to
>>>>> be able to use standard ports AND user tomcat.
>>>>
>>>>
>>>> See also :
>>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>>
>>>
>>> Or if you are running under Linux, check :
>>> https://en.wikipedia.org/wiki/Authbind
>
> I'm curious ... can authbind be used to *restrict* processes as well
> as to grant them access? For example, let's say that I want Tomcat to
> be able to bind to port 8080, it generally will be able to do that
> unless some other process has bound already. But let's say I
> specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
> use authbind to set a blacklist of ports, too? Or, can I blacklist
> everything and set up a whitelist that contains only port 8080?
>
I don't really know the specifics of authbind, just that recent Debian Linux versions seem
to automatically use it to run their pre-packaged Tomcat (I believe that previously, they
used jsvc).
There is information available here :
https://manpages.debian.org/testing/authbind/authbind.1.en.html
which seems to indicate that indeed it seems to allow the kind of things which you mention
above.
Should you not have access to a Linux Debain/Ubuntu system right now, I can also send you
a sample /etc/init.d startup script for Tomcat (using authbind) (but presumably directly,
as the list does not really like attachments)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Running as user tomcat [authbind]
Posted by Coty Sutherland <cs...@apache.org>.
On Mon, Feb 26, 2018 at 9:59 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Coty and André,
>
> On 2/23/18 6:58 PM, Coty Sutherland wrote:
>> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
>> I've been planning to push a solution for that, just haven't gotten
>> around to it yet.
>>
>> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
>> <aw...@ice-sa.com> wrote:
>>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>>
>>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>>
>>>>>
>>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>>> <cc...@philasd.org>:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am trying to run tomcat as a non root user.
>>>>>>
>>>>>> It will start as the tomcat user but it will not bind to
>>>>>> connector 443 unless it starts as root.
>>>>>>
>>>>>> Does anyone know why?
>>>>>
>>>>>
>>>>> Unix will not let you open ports below 1024 as non-root
>>>>> user!
>>>>>
>>>>> You may use a proxy in front of it or maybe use iptables to
>>>>> be able to use standard ports AND user tomcat.
>>>>
>>>>
>>>> See also :
>>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>>
>>>
>>> Or if you are running under Linux, check :
>>> https://en.wikipedia.org/wiki/Authbind
>
> I'm curious ... can authbind be used to *restrict* processes as well
> as to grant them access? For example, let's say that I want Tomcat to
> be able to bind to port 8080, it generally will be able to do that
> unless some other process has bound already. But let's say I
> specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
> use authbind to set a blacklist of ports, too? Or, can I blacklist
> everything and set up a whitelist that contains only port 8080?
I'm not sure about authbind, but selinux is effectively a whitelist
which only includes a handful of ports (in http_port_t)...assuming
that it's enabled.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC
> 7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn
> lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU
> KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di
> ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9
> cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae
> q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8
> FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD
> R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw
> m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv
> 7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz
> 2JHYqvyhsydWUPEFcoRO+9I888Q=
> =2rU6
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Running as user tomcat [authbind]
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Coty and André,
On 2/23/18 6:58 PM, Coty Sutherland wrote:
> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
> I've been planning to push a solution for that, just haven't gotten
> around to it yet.
>
> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
> <aw...@ice-sa.com> wrote:
>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>
>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>
>>>> Hi Chris,
>>>>
>>>>
>>>>
>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>> <cc...@philasd.org>:
>>>>>
>>>>> Hello All,
>>>>>
>>>>> I am trying to run tomcat as a non root user.
>>>>>
>>>>> It will start as the tomcat user but it will not bind to
>>>>> connector 443 unless it starts as root.
>>>>>
>>>>> Does anyone know why?
>>>>
>>>>
>>>> Unix will not let you open ports below 1024 as non-root
>>>> user!
>>>>
>>>> You may use a proxy in front of it or maybe use iptables to
>>>> be able to use standard ports AND user tomcat.
>>>
>>>
>>> See also :
>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>
>>
>> Or if you are running under Linux, check :
>> https://en.wikipedia.org/wiki/Authbind
I'm curious ... can authbind be used to *restrict* processes as well
as to grant them access? For example, let's say that I want Tomcat to
be able to bind to port 8080, it generally will be able to do that
unless some other process has bound already. But let's say I
specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
use authbind to set a blacklist of ports, too? Or, can I blacklist
everything and set up a whitelist that contains only port 8080?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC
7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn
lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU
KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di
ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9
cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae
q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8
FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD
R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw
m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv
7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz
2JHYqvyhsydWUPEFcoRO+9I888Q=
=2rU6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Running as user tomcat
Posted by Coty Sutherland <cs...@redhat.com>.
Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :) I've
been planning to push a solution for that, just haven't gotten around
to it yet.
On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat) <aw...@ice-sa.com> wrote:
> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>
>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>
>>> Hi Chris,
>>>
>>>
>>>
>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>> <cc...@philasd.org>:
>>>>
>>>> Hello All,
>>>>
>>>> I am trying to run tomcat as a non root user.
>>>>
>>>> It will start as the tomcat user but it will not bind to connector 443
>>>> unless it starts
>>>> as root.
>>>>
>>>> Does anyone know why?
>>>
>>>
>>> Unix will not let you open ports below 1024 as non-root user!
>>>
>>> You may use a proxy in front of it or maybe use iptables to be able to
>>> use standard
>>> ports AND user tomcat.
>>
>>
>> See also : https://commons.apache.org/proper/commons-daemon/jsvc.html
>
>
> Or if you are running under Linux, check :
> https://en.wikipedia.org/wiki/Authbind
>
>
>
>>
>>>
>>>> 23-Feb-2018 09:14:59.140 SEVERE [main]
>>>> org.apache.catalina.core.StandardService.initInternal Failed to
>>>> initialize connector
>>>> [Connector[HTTP/1.1-443]]
>>>> org.apache.catalina.LifecycleException: Failed to initialize component
>>>> [Connector[HTTP/1.1-443]]
>>>>
>>>> I’m using java 9.0.4 and Tomcat 8.5.28
>>>>
>>>>
>>>> ===========================
>>>>
>>>> Thank You;
>>>>
>>>> Chris Cheltenham
>>>> Technology Services
>>>> The School District of Philadelphia
>>>>
>>>> Work # 215-400-5025
>>>> Cell # 215-301-6571
>>>
>>>
>>> Best regards
>>>
>>> Peter
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Running as user tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 23.02.2018 23:32, André Warnier (tomcat) wrote:
> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>> Hi Chris,
>>
>>
>>
>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris <cc...@philasd.org>:
>>>
>>> Hello All,
>>>
>>> I am trying to run tomcat as a non root user.
>>>
>>> It will start as the tomcat user but it will not bind to connector 443 unless it starts
>>> as root.
>>>
>>> Does anyone know why?
>>
>> Unix will not let you open ports below 1024 as non-root user!
>>
>> You may use a proxy in front of it or maybe use iptables to be able to use standard
>> ports AND user tomcat.
>
> See also : https://commons.apache.org/proper/commons-daemon/jsvc.html
Or if you are running under Linux, check : https://en.wikipedia.org/wiki/Authbind
>
>>
>>> 23-Feb-2018 09:14:59.140 SEVERE [main]
>>> org.apache.catalina.core.StandardService.initInternal Failed to initialize connector
>>> [Connector[HTTP/1.1-443]]
>>> org.apache.catalina.LifecycleException: Failed to initialize component
>>> [Connector[HTTP/1.1-443]]
>>>
>>> I’m using java 9.0.4 and Tomcat 8.5.28
>>>
>>>
>>> ===========================
>>>
>>> Thank You;
>>>
>>> Chris Cheltenham
>>> Technology Services
>>> The School District of Philadelphia
>>>
>>> Work # 215-400-5025
>>> Cell # 215-301-6571
>>
>> Best regards
>>
>> Peter
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Running as user tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
> Hi Chris,
>
>
>
>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris <cc...@philasd.org>:
>>
>> Hello All,
>>
>> I am trying to run tomcat as a non root user.
>>
>> It will start as the tomcat user but it will not bind to connector 443 unless it starts as root.
>>
>> Does anyone know why?
>
> Unix will not let you open ports below 1024 as non-root user!
>
> You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat.
See also : https://commons.apache.org/proper/commons-daemon/jsvc.html
>
>> 23-Feb-2018 09:14:59.140 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
>> org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
>>
>> I’m using java 9.0.4 and Tomcat 8.5.28
>>
>>
>> ===========================
>>
>> Thank You;
>>
>> Chris Cheltenham
>> Technology Services
>> The School District of Philadelphia
>>
>> Work # 215-400-5025
>> Cell # 215-301-6571
>
> Best regards
>
> Peter
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Running as user tomcat
Posted by "Peter@Kreuser-Online" <lo...@kreuser.name>.
Hi Chris,
> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris <cc...@philasd.org>:
>
> Hello All,
>
> I am trying to run tomcat as a non root user.
>
> It will start as the tomcat user but it will not bind to connector 443 unless it starts as root.
>
> Does anyone know why?
Unix will not let you open ports below 1024 as non-root user!
You may use a proxy in front of it or maybe use iptables to be able to use standard ports AND user tomcat.
> 23-Feb-2018 09:14:59.140 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
>
> I’m using java 9.0.4 and Tomcat 8.5.28
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
Best regards
Peter