tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "See Kai Leong, Ken" <>
Subject Re: Running Tomcat 3.2 process as user:nobody
Date Mon, 25 Sep 2000 10:08:18 GMT

Thanks for the reply to all especially Simon.

As I am thinking of using Jboss to start tomcat and I think most of my pages
will be jsp/servlet, this info will definitely help me to justify on using
standalone tomcat.

Simon, I am not very sure how I can set the security with java security
policy. Can you help me by giving me some info/examples on this or point me
to a place that mainly talk about using the policy to secure the web

Thanks alot.

Ken, See Kai Leong

----- Original Message -----
From: "Kitching Simon" <>
To: <>
Sent: Monday, September 25, 2000 17:38
Subject: RE: Running Tomcat 3.2 process as user:nobody


Am I right in assuming that you are trying to run
tomcat on a Unix machine on port 80?

** no application on unix can open a port < 1024
** unless running as root, so please do not suggest
** just changing the port in the server.xml file...

Apache has a feature that allows it to effectively
run on port 80, but as a user other than root.
Tomcat has no such feature, and as far as I can
see is unlikely to ever have this feature. The issue
is really a java one : the concept of "changing
effective run-as user" is a unix-specific one, with
no platform-independent equivalent, so is not
really a java-ish thing to do.

There are several workarounds:

You can use apache as a front-end. As
noted by yourself, Apache can change
effective user, because it is written in
c, not java, and has platform-dependent
code in it.

In effect, tomcat starts up as a normal user on a normal
unpriveleged port (ie >1024), and apache forwards requests
from port 80 to tomcat's port.

You can run tomcat on port 80 as root, but use a
security policy file when starting tomcat.
Java security policy files are pretty useful, and can
be used to restrict tomcat's priveleges so tightly
that it may be acceptable to run as root.

You can use your firewall product to do
"port redirection". For example, the
"IPFILTER" program on Sun has a mapping
file that looks roughly like: -> 111.222.333.444:8080

ie any external request to connect to port 80 on the
server gets redirected to a *non-priveleged*
port 8080. Tomcat can then be listening on that port
while running as a non-root user.
I'm sure that there are similar products for all
platforms - perhaps IPCHAINS is the equivalent
open-source product?

I use a combination of (2) and (3) together.

The real disadvantage to using apache (or another
web server) as a front-end is that setting up the
configuration is complicated. And of course if the
site is largely servlets/jsp then there is a performance
penalty, though if the site has static content (including
images, javascript files, etc) there may be a performance

Hope this helps,


> -----Original Message-----
> From: See Kai Leong, Ken []
> Sent: Monday, September 25, 2000 11:08 AM
> To:;;
> Subject: Re: Running Tomcat 3.2 process as user:nobody
> Hi,
> I am using the in the $TOMCAT_HOME/bin directory. I tried su -c
> ./ nobody but it failed with permission access rights errors.
> Apache do not have this access rights problem. Is there another way of
> doing
> it or am I suppose to change all the directory owner to nobody?
> Is tomcat going to have a "user" directive like apache for this?
> Thanks.
> Regards,
> Ken, See Kai Leong
> ----- Original Message -----
> From: "Holger Klawitter" <>
> To: <>
> Sent: Monday, September 25, 2000 15:10
> Subject: Re: Running Tomcat 3.2 process as user:nobody
> > "See Kai Leong, Ken" wrote:
> > >
> > > Hi,
> > >
> > > Anyone has any idea how can I use nobody to run the tomcat process
> instead
> > > of root?
> >
> > (Assuming you are starting tomcat with
> > /usr/local/tomcat/bin/
> > you may use
> > su -c /usr/local/tomcat/bin/ nobody
> >
> > Regards,
> > Mit freundlichem Gruß,
> > Holger Klawitter
> > --
> > Holger Klawitter                                    +49 (0)251 484 0637
> >                  
> >

View raw message