Jetty/Howto/Port80

From Eclipsepedia

< Jetty‎ | Howto
Revision as of 09:47, 9 August 2012 by Bleleve.gmail.com (Talk | contribs)

Jump to: navigation, search



Contents

Introduction

On Unix-based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non-root user. These include;

Using ipchains

Using iptables

Configuring Jetty's SetUID Feature

Using xinetd

Using the Solaris 10 User Rights Management Framework


Using ipchains

On some Linux systems you can use the ipchains REDIRECT mechanism to redirect from one port to another inside the kernel (if ipchains is not available, then usually iptables is (see below)):

/sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080

This command instructs the system as follows: "Insert into the kernel's packet filtering the following as the first rule to check on incoming packets: If the protocol is TCP and the destination port is 80, redirect the packet to port 8080." Be aware that your kernel must be compiled with support for ipchains (virtually all stock kernels are). You must have the "ipchains" command-line utility installed (on RedHat the package is aptly named "ipchains"). You can run this command at any time, preferably just once since it inserts another copy of the rule every time you run it.

Once you set up this rule , a Linux 2.2 kernel redirects all data addressed to port 80 to a server such as Jetty running on port 8080.This includes all RedHat 6.x distros. Linux 2.4 kernels, for example, RedHat 7.1+, have a similar "iptables" facility.

Using iptables

On many Linux systems you can use the iptables REDIRECT mechanism to redirect from one port to another inside the kernel (if iptables is not available, then usually ipchains is (see above).

You need to add something like the following to the startup scripts or your firewall rules:

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

The underlying model of iptables is different from ipchains, so the forwarding normally happens only to packets originating off-box. You also need to allow incoming packets to port 8080 if you use iptables as a local firewall.

Be careful to place rules like this one early in your input chain. Such rules must precede any rule that accepts the packet, otherwise the redirection won't occur. You can insert as many rules as required if your server needs to listen on multiple ports, as for HTTPS.

Configuring Jetty's SetUID feature

This extension of org.eclipse.jetty.server.Server will make a JNI call to set the unix UID. This can be used to start the server as root so that privileged ports may be accessed and then switch to a non-root user for security.

Obtaining the code

The SetUID feature is among the Jetty 7 modules that remain at Codehaus, and it retains the mortbay.org package naming. It uses the Jetty 7 package modules at Eclipse. Jetty-hightide at Codehaus comes with jetty-setuid compiled and configured.

Alternatively, you can download the necessary files from the maven central repository:

Copy the jetty-setuid.jar, and the jna jar to $jetty.home/lib/setuid. Also copy the .so file to $jetty.home/lib/setui, but make sure you rename it "libsetuid.so". Unjar the config jar into $jetty.home.

Creating a Jetty Config File

Create a Jetty config file as follows:

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/jetty/configure.dtd">
<Configure id="Server" class="org.mortbay.setuid.SetUIDServer">
  <Set name="umask">UMASK</Set>
  <Set name="uid">USERID</Set>
</Configure>

Where you replace:

  • UMASK with the umask setting you want the process to have. The umask will be set before the server is started.
    • You must enter it in decimal. That is, if you want the effect of umask 022, you must use <Set name="umask">18</Set>.
    • If you prefer hexadecimal, enter <Set name="umaskOctal">022</Set>.
    • You can remove this line if you don't want to change this at runtime.
    • Set it to 002 if you get an error to the effect that root does not have permission to write to the log file.
  • USERID with the ID of the user you want the process to execute as once the ports have been opened.
Idea.png
TIP
For your convenience, if you downloaded jetty-hightide, you'll find one of these ready made in the $jetty.home/etc/jetty-setuid.xml.


The default behaviour of the SetUIDServer is to only open the Connectors as the privileged user, and then switch down to the non privileged user to do the rest of the startup sequence, including starting up the webapps. If your webapp needs to open privileged ports itself, you can configure the SetUIDServer to do the entire startup sequence as the privileged user. Use the "startServerAsPrivileged" option to accomplish this (of course, this will mean that any files created will be owned by the root user, so be sure this is what you want), eg:

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/jetty/configure.dtd">
<Configure id="Server" class="org.mortbay.setuid.SetUIDServer">
  <Set name="umask">UMASK</Set>
  <Set name="uid">USERID</Set>
  <Set name="startServerAsPrivileged">true</Set>
</Configure>

Configuring jetty for setuid

The easiest way to do this is to edit the $jetty.home/start.ini file:

  • uncomment --exec
  • add -Djava.library.path=lib/setuid
  • add an option for setuid: OPTIONS=Server,jsp,jmx,resources,websocket,ext,jta,plus,jdbc,annotations,setuid
  • add etc/jetty-setuid.xml (or --pre=etc/jetty-setuid.xml for Jetty Hightide 7.6.5/8.1.5) as the first file in the configuration file section
Warning2.png
NOTE
You *must* ensure that the etc/jetty-setuid.xml (or --pre=etc/jetty-setuid.xml for Jetty Hightide 7.6.5/8.1.5) file is first in the list of config files.


Running Jetty as Root User

Having edited start.ini as advised above, to run jetty as the root user:

  1. Switch to the userid of your choice.
  2. Optionally set the umask of your choice.
  3. Enter the following command:
sudo java -jar start.jar
Note.png
NOTE
As the setuid feature relies on a native library, if the .so file available on the maven central repo at jetty-setuid-lib does not work in your environment, you may need to build it from source. Checkout the git://git.codehaus.org/jetty-project.git repository and modify the jetty-setuid/modules/native/pom.xml as necessary.


Using xinetd

With modern Linux flavours, inetd has a newer, better big brother xinetd, that you can use to redirect network traffic. Since xinetd is driven by text files, all you need is a text editor. For detailed information, see xinetd.

There are two ways to give xinetd instructions:

  1. Add a new service to etc/xinetd.conf
  2. Add a new file to the directory etc/xinetd.d

The format is the same; if you have a look at the file/directory, you will get the picture.

The following entry redirects all inward TCP traffic on port 80 to port 8888 on the local machine. You can also redirect to other machines for gimp proxying:

service my_redirector
{
 type = UNLISTED
 disable = no
 socket_type = stream
 protocol = tcp
 user = root
 wait = no
 port = 80
 redirect = 127.0.0.1 8888
 log_type = FILE /tmp/somefile.log
}

Caveats

  • Space on either side of the '=' or it is ignored.
  • type = UNLISTED means that the name of the service does not have to be in /etc/services, but you have to specify port and protocol. If you want to do use an existing service name, for example, http:
service http
{
 disable = no
 socket_type = stream
 user = root
 wait = no
 redirect = 127.0.0.1 8888
 log_type = FILE /tmp/somefile.log
}

Have a browse in /etc/services and it will all become clear.

  • Logging might present certain security problems, so you might want to leave that out.
  • RHEL5 doesn't contain xinetd by default for reasons best known to themselves. yum install xinetd fixes that.

Xinetd is a hugely powerful and configurable system so expect to do some reading.

Using the Solaris 10 User Rights Management Framework

Solaris 10 provides a User Rights Management framework that can permit users and processes superuser-like abilities:

usermod -K defaultpriv=basic,net_privaddr myself

Now the myself user can bind to port 80.

Refer to the Solaris documentation for more information.