Join Log in
Score:1
avatar Server

Tomcat 9 on port 443 working with only root which can be hamful

bw flag
Noor

After so many reading of serverfault.com articles I have successfully configured my tomcat 9 on port 443.

But problem is 443 is an privileged port in which i added root user in below tomcat.service but how i can avoid this as i want to give permission to tomcat user for just only one service. I hope you understand my issue and will advise the best answer.

vim /etc/systemd/system/tomcat.service


[Unit]
Description=Tomcat 9 servlet container
After=network.target

[Service]
Type=forking



############## I added root user here ##########################
**User=root
Group=root**

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target
298
1 + 8
vidarlo avatar
ar flag
vidarlo
You may want to have a look at e.g. https://unix.stackexchange.com/questions/187726/how-do-daemons-like-apache-or-bind-open-ports-below-1024
0
Reply
bw flag
Noor
Its very limited and has incomplete answer as i already read the article thats why writing another for complete guidance and solution.
1
Reply
bw flag
Noor
anyone can reply on this waiting
0
Reply
jm flag
doneal24
Why does using root capabilities not apply to your situation?
0
Reply
jm flag
doneal24
There is also [tomcat 9 configuration for port 443](https://serverfault.com/questions/969191/tomcat-9-configuration-for-port-443?rq=1)
0
Reply
bw flag
Noor
Not working at All i have tried all the above methods from 5 days but no luck at All.
0
Reply
bw flag
Noor
Tomcat 9 Service is working fine with user tomcat and group tomcat but problem is that with tomcat 443 port is not opening but when i added root the port is opening.
0
Reply
bw flag
Noor
https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443 this is the url what i need but this is still incomplete answer can someone please guide in detail how i can use net_cap for tomcat 443
0
Reply
Score:1
Michael Hampton avatar Server
cz flag
Michael Hampton

You can run Tomcat (or anything) as non-root and still bind to system ports if you have granted the CAP_NET_BIND_SERVICE capability set. You can do this in your systemd unit by adding AmbientCapabilities= in the [Service] section:

AmbientCapabilities=CAP_NET_BIND_SERVICE

Obviously you will also need to remove User= and Group=.

You should also consider using NoNewPrivileges=true to restrict the app from elevating its privileges.

0 + 2
bw flag
Noor
Appreciated ! Dear Michael Hampton, after followed you instructions my issue has resolved i would like to say thanks to understand my issue and your dedication for said problem. Thanks you very much.
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
@Noor Thank you! You can mark it as solved by clicking the outline of the tick mark so that it turns solid green.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.