tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <>
Subject RE: Separate List (FKA: Re: Running Tomcat3 on port 80)
Date Mon, 16 Jun 2003 14:46:42 GMT


>So it's possible?  I'd love to be part of the effort if it is....for
>reason, I didn't think it was.

Nothing is impossible technically ;)  It's just varying degrees of
cleanliness.  Tomcat just runs inside a JVM, not much to do there in so
far as root privileges.

But there are many other options in the unix world.  

For example, on my dev machine (Solaris 8), I don't know the root
password, so I can't log in as root.  But I have sudo permission to
everything.  So I do 

And voila, I'm running tomcat 4.1.24 standalone on port 80.  No special
configuration (just changed server.xml from 8080 to 80), no java
permissions/policies to worry about or modify, etc.

So sudo on Solaris works for me.  I'm not as familiar with linux as I
should be, but I know sudo is available for it.  An article with sudo
rationale, examples, and download links for linux can be found here:,2000048640,20263478,
(among many other places).

This would require the consent of your system administrator, of course,
who would have to give you sudo $CATALINA_HOME/bin/  But I
see this is a valid safety requirement, not a hindrance.

When I do this, my server on solaris runs as the root user, which is not
good from a security perspective.  Oddly enough, the logs are written as
the nobody user which is much better.  

So maybe we could have another startup script, call it, which starts the server as root, to let the port
binding succeed, and then changes its own uid to something less than
root, e.g. the nobody user.

All of this comes with the caveat that, IMHO, the <1023 port restriction
for normal users is a good thing.  If you're going around it, you will
lose some security and it's your own problem to worry about.

Yoav Shapira

This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message