Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Howto/Port80"
m |
m |
||
Line 1: | Line 1: | ||
{{Jetty Howto | {{Jetty Howto | ||
| introduction = | | introduction = | ||
− | On Unix-based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non root user. These include; | + | On Unix-based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non-root user. These include; |
[[#Using ipchains|Using ipchains]] | [[#Using ipchains|Using ipchains]] |
Revision as of 16:08, 18 May 2011
Contents
Introduction
On Unix-based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non-root user. These include;
Configuring Jetty's SetUID Feature
Using the Solaris 10 User Rights Management Framework
Using ipchains
On some Linux systems you can use the ipchains REDIRECT mechanism to redirect from one port to another inside the kernel (if ipchains is not available, then usually iptables is (see below)):
/sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080
This command instructs the system as follows: "Insert into the kernel's packet filtering the following as the first rule to check on incoming packets: If the protocol is TCP and the destination port is 80, redirect the packet to port 8080." Be aware that your kernel must be compiled with support for ipchains (virtually all stock kernels are). You must have the "ipchains" command-line utility installed (on RedHat the package is aptly named "ipchains"). You can run this command at any time, preferably just once since it inserts another copy of the rule every time you run it.
Once you set up this rule , a Linux 2.2 kernel redirects all data addressed to port 80 to a server such as Jetty running on port 8080.This includes all RedHat 6.x distros. Linux 2.4 kernels, for example, RedHat 7.1+, have a similar "iptables" facility.
Using iptables
On many Linux systems you can use the iptables REDIRECT mechanism to redirect from one port to another inside the kernel (if iptables is not available, then usually ipchains is (see above).
You need to add something like the following to the startup scripts or your firewall rules:
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
The underlying model of iptables is different from ipchains, so the forwarding normally happens only to packets originating off-box. You also need to allow incoming packets to port 8080 if you use iptables as a local firewall.
Be careful to place rules like this one early in your input chain. Such rules must precede any rule that accepts the packet, otherwise the redirection won't occur. You can insert as many rules as required if your server needs to listen on multiple ports, as for HTTPS.
Configuring Jetty's SetUID feature
Using the SetUID feature requires that you create a Jetty config file, and that you build the feature for your operating system.
Creating a Jetty Config File
Create a Jetty config file as follows:
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/jetty/configure.dtd"> <Configure id="Server" class="org.mortbay.setuid.SetUIDServer"> <Set name="umask">UMASK</Set> <Set name="uid">USERID</Set> </Configure>
Where you replace:
- *UMASK* with the umask setting you want the process to have.
- You must enter it in decimal. That is, if you want the effect of umask 022, you must use <Set name="umask">18</Set>.
- If you prefer hexidecimal, enter <Set name="umaskOctal">022</Set>.
- You can remove this line if you don't want to change this at runtime.
- Set it to 002 if you get an error to the effect that root does not have permission to write to the log file.
- *USERID* with the ID of the user you want the process to execute as once the ports have been opened.
Building the SetUID Feature for Your Operating System
Next you need to build the SetUID feature for your operating system, as it requires native libraries. Go to the $jetty.home/extras/setuid directory and follow the instructions in the README.txt file, summarized here as:
> mvn install > gcc -I$JDK_HOME/include/ -I$JDK_HOME/include/linux/ \ -shared src/main/native/org_eclipse_jetty_setuid_SetUID.c \ --pre=etc/jetty-setuid.xml -o ../../lib/ext/libsetuid.so > cp target/jetty-setuid-6.1-SNAPSHOT.jar ../../lib/ext/ > cp etc/jetty-setuid.xml ../../etc
Where:
- *$JDK_HOME* is same as $JAVA_HOME.
- Replace *linux* with the name of your operating system.
Considering Alternatives
Alternatives to adding --pre=etc/jetty-setuid.xml to start.ini include:
- Add --pre=etc/jetty-setuid.xml to $JETTY_ARGS in /etc/default/jetty.
- Add --pre=etc/jetty-setuid.xml to etc/jetty.conf before --pre=etc/jetty-logging.xml.
Running Jetty as Root User
Then to run jetty as the root user:
- Switch to the userid of your choice.
- Optionally set the umask of your choice.
- Enter the following command:
sudo java -Djava.library.path=lib/ext -jar start.jar etc/jetty-setuid.xml etc/jetty.xml
Using xinetd
With modern Linux flavours, inetd has a newer, better big brother xinetd, that you can use to redirect network traffic. Since xinetd is driven by text files, all you need is a text editor. For detailed information, see xinetd.
There are two ways to give xinetd instructions:
- Add a new service to etc/xinetd.conf
- Add a new file to the directory etc/xinetd.d
The format is the same; if you have a look at the file/directory, you will get the picture.
The following entry redirects all inward TCP traffic on port 80 to port 8888 on the local machine. You can also redirect to other machines for gimp proxying:
service my_redirector { type = UNLISTED disable = no socket_type = stream protocol = tcp user = root wait = no port = 80 redirect = 127.0.0.1 8888 log_type = FILE /tmp/somefile.log }
Caveats
- Space on either side of the '=' or it is ignored.
- type = UNLISTED means that the name of the service does not have to be in /etc/services, but you have to specify port and protocol. If you want to do use an existing service name, for example, http:
service http { disable = no socket_type = stream user = root wait = no redirect = 127.0.0.1 8888 log_type = FILE /tmp/somefile.log }
Have a browse in /etc/services and it will all become clear.
- Logging might present certain security problems, so you might want to leave that out.
- RHEL5 doesn't contain xinetd by default for reasons best known to themselves. yum install xinetd fixes that.
Xinetd is a hugely powerful and configurable system so expect to do some reading.
Using the Solaris 10 User Rights Management Framework
Solaris 10 provides a User Rights Management framework that can permit users and processes superuser-like abilities:
usermod -K defaultpriv=basic,net_privaddr myself
Now the myself user can bind to port 80.
Refer to the Solaris documentation for more information.