1

After so many reading of serverfault.com articles I have successfully configured my tomcat 9 on port 443.

But problem is 443 is an privileged port in which i added root user in below tomcat.service but how i can avoid this as i want to give permission to tomcat user for just only one service. I hope you understand my issue and will advise the best answer.

vim /etc/systemd/system/tomcat.service


[Unit]
Description=Tomcat 9 servlet container
After=network.target

[Service]
Type=forking



############## I added root user here ##########################
**User=root
Group=root**

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target
Romeo Ninov
  • 3,195
  • 2
  • 13
  • 16
Noor
  • 11
  • 1
  • 4
  • You may want to have a look at e.g. https://unix.stackexchange.com/questions/187726/how-do-daemons-like-apache-or-bind-open-ports-below-1024 – vidarlo Aug 09 '21 at 10:20
  • 1
    Its very limited and has incomplete answer as i already read the article thats why writing another for complete guidance and solution. – Noor Aug 09 '21 at 10:42
  • anyone can reply on this waiting – Noor Aug 09 '21 at 12:54
  • Why does using root capabilities not apply to your situation? – doneal24 Aug 09 '21 at 14:34
  • There is also [tomcat 9 configuration for port 443](https://serverfault.com/questions/969191/tomcat-9-configuration-for-port-443?rq=1) – doneal24 Aug 09 '21 at 16:27
  • Not working at All i have tried all the above methods from 5 days but no luck at All. – Noor Aug 09 '21 at 17:05
  • Tomcat 9 Service is working fine with user tomcat and group tomcat but problem is that with tomcat 443 port is not opening but when i added root the port is opening. – Noor Aug 10 '21 at 04:10
  • https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443 this is the url what i need but this is still incomplete answer can someone please guide in detail how i can use net_cap for tomcat 443 – Noor Aug 10 '21 at 04:25

1 Answers1

1

You can run Tomcat (or anything) as non-root and still bind to system ports if you have granted the CAP_NET_BIND_SERVICE capability set. You can do this in your systemd unit by adding AmbientCapabilities= in the [Service] section:

AmbientCapabilities=CAP_NET_BIND_SERVICE

Obviously you will also need to remove User= and Group=.

You should also consider using NoNewPrivileges=true to restrict the app from elevating its privileges.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Appreciated ! Dear Michael Hampton, after followed you instructions my issue has resolved i would like to say thanks to understand my issue and your dedication for said problem. Thanks you very much. – Noor Aug 11 '21 at 05:49
  • @Noor Thank you! You can mark it as solved by clicking the outline of the tick mark so that it turns solid green. – Michael Hampton Aug 11 '21 at 13:07