Running Jetty as non-root user on port 80

Published by janb on

Running any user program on low port numbers on *nix systems is generally tricky, as low port numbers are protected and only accessible as the root user.

In the past, jetty’s suggested solution has been to use iptables or ipchains to configure the operating system to forward traffic for port 80 (for example) to port 8080 (for example). Here’s the FAQ entry on how to do that here:
http://docs.codehaus.org/display/JETTY/port80

Recently, we decided to make this easier by adding a new feature which means you will be able to invoke jetty as the superuser, but after the ports have been opened the userid will change back to a non-privileged user, preserving the runtime safety of your system.

This little gem can be found currently in svn trunk and is slated for release in the 6.1.0. Look in $jetty.home/extras/setuid for the code and the README on how to build it. As the build requires native libs, there are some system-dependent configurations you have to provide, so there are a couple of steps you have to do manually for the build.
The README.txt file has full instructions, but I’ll reproduce it here to give you the general idea to start you off: 

Build
Categories: GeneralUncategorized

5 Comments

Bob McWhirter · 02/10/2006 at 13:16

Any chance you’ll backport this to Jetty-5?

Jan Bartel · 02/10/2006 at 14:49

Bob,
No immediate plans to do that. Sure you don’t want to upgrade to jetty 6? 🙂

Jan Bartel · 13/10/2006 at 16:29

We’ve now added another new feature, which is to be also able to set the umask of the executing process. The instructions are the same as before, except with the ability to call org.mortbay.setuid.SetUIDServer.setUmask(int i);

Building extras/setuid will give you an example jetty-setuid.xml file that you can use to change to whichever umask (and user id) setting you want.

Matt Sheppard · 03/09/2007 at 04:35

I’ve got this building fine on linux, but not on solaris with or without -shared…

$ gcc -I/big/build_home/jdk1.6.0_02/include/
-I/big/build_home/jdk1.66.0_02/include/solaris/
src/main/native/org_mortbay_setuid_SetUID.c
-o libsetuid.so
Undefined                       first referenced
symbol                             in file
main                                /usr/local/lib/gcc-lib/sparc-sun-solaris2.9/3.3.2/crt1.o
ld: fatal: Symbol referencing errors. No output written to libsetuid.so
collect2: ld returned 1 exit status
$ gcc -I/big/build_home/jdk1.6.0_02/include/
-I/big/build_home/jdk1.66.0_02/include/solaris/
-shared src/main/native/org_mortbay_setuid_SetUID.c
-o libsetuid.so
Text relocation remains                         referenced
against symbol                  offset      in file
umask                               0x40        /var/tmp//cc5pafej.o
setuid                              0x14        /var/tmp//cc5pafej.o
ld: fatal: relocations remain against allocatable but non-writable sections
collect2: ld returned 1 exit status

Any hints?

George Bills · 09/07/2008 at 00:19

Just in case anyone else is having this same problem, the fix is to add "-c" to the compilation command, to tell GCC not to try linking.

See:
http://docs.codehaus.org/display/JETTY/port80

Comments are closed.

Related Posts

General

If Virtual Threads are the solution, what is the problem?

Java’s Virtual Threads (aka Project Loom or JEP 444) have arrived as a full platform feature in Java 21, which has generated considerable interest and many projects (including Eclipse Jetty) are adding support. I have Read more…

Jetty

Security Audit with Trail of Bits

Several months ago, the Eclipse Foundation approached the Eclipse Jetty project with the offer of a security audit. The effort was being supported through a collaboration with the Open Source Technology Improvement Fund (OSTIF), with Read more…

General

New Jetty 12 Maven Coordinates

Now that Jetty 12.0.1 is released to Maven Central, we’ve started to get a few questions about where some artifacts are, or when we intend to release them (as folks cannot find them). Things have Read more…