documentation/9.3.0.v20150612/setting-port80-access.html - gerrit/www.eclipse.org/jetty - Git at Google

 <html><head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Setting Port 80 Access for a Non-Root User</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL-NS Stylesheets V1.76.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty : The Definitive Reference"><link rel="up" href="configuring-connectors.html" title="Chapter&nbsp;6.&nbsp;Configuring Jetty Connectors"><link rel="prev" href="configuring-ssl.html" title="Configuring SSL/TLS"><link rel="next" href="configuring-security.html" title="Chapter&nbsp;7.&nbsp;Configuring Security"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><script type="text/javascript" src="js/shCore.js"></script><script type="text/javascript" src="js/shBrushJava.js"></script><script type="text/javascript" src="js/shBrushXml.js"></script><script type="text/javascript" src="js/shBrushBash.js"></script><script type="text/javascript" src="js/shBrushJScript.js"></script><script type="text/javascript" src="js/shBrushSql.js"></script><script type="text/javascript" src="js/shBrushProperties.js"></script><script type="text/javascript" src="js/shBrushPlain.js"></script><link type="text/css" rel="stylesheet" href="css/shCore.css"><link type="text/css" rel="stylesheet" href="css/shThemeEclipse.css"><link type="text/css" rel="stylesheet" href="css/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
             Version: 9.3.0.v20150612</span></td><td style="width: 50%"><script type="text/javascript">  (function() {
             var cx = '016459005284625897022:obd4lsai2ds';
             var gcse = document.createElement('script');
             gcse.type = 'text/javascript';
             gcse.async = true;
             gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
             '//www.google.com/cse/cse.js?cx=' + cx;
             var s = document.getElementsByTagName('script')[0];
             s.parentNode.insertBefore(gcse, s);
             })();
           </script><gcse:search></gcse:search></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Setting Port 80 Access for a Non-Root User</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;6.&nbsp;Configuring Jetty Connectors<br><a accesskey="p" href="index.html"><i class="icon-home"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="configuring-security.html">Next <i class="icon-chevron-right"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
           <span class="website">www.webtide.com</span></a></h5><p>
  private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
  scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
       </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="setting-port80-access"></a>Setting Port 80 Access for a Non-Root User</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="setting-port80-access.html#using-ipchains">Using ipchains</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-iptables">Using iptables</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#configuring-jetty-setuid-feature">Configuring Jetty's SetUID Feature</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-solaris10-user-rights-management-framework">Using the Solaris 10 User Rights Management Framework</a></span></dt></dl></div><p>On Unix-based systems, port 80 is protected; typically only the
   superuser root can open it. For security reasons, it is not desirable to run
   the server as root. This page presents several options to access port 80 as
   a non-root user, including using ipchains, iptables, Jetty's SetUID feature,
   xinetd, and the Solaris 10 User Rights Management Framework.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-ipchains"></a>Using ipchains</h3></div></div></div><p>On some Linux systems you can use the <span class="emphasis"><em>ipchains
     REDIRECT</em></span> mechanism to redirect from one port to another inside
     the kernel (if ipchains is not available, then usually iptables
     is):</p><div class="screenexample"><pre class="screen"># /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080</pre></div><p>This command instructs the system as follows: "Insert into the
     kernel's packet filtering the following as the first rule to check on
     incoming packets: if the protocol is TCP and the destination port is 80,
     redirect the packet to port 8080". Be aware that your kernel must be
     compiled with support for ipchains (virtually all stock kernels are). You
     must also have the ipchains command-line utility installed. You can run
     this command at any time, preferably just once, since it inserts another
     copy of the rule every time you run it.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-iptables"></a>Using iptables</h3></div></div></div><p>On many Linux systems you can use the iptables REDIRECT mechanism to
     redirect from one port to another inside the kernel (if iptables is not
     available, then usually ipchains is).</p><p>You need to add something like the following to the startup scripts
     or your firewall rules:</p><div class="screenexample"><pre class="screen"># /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080</pre></div><p>The underlying model of iptables is different from ipchains, so the
     forwarding normally happens only to packets originating off-box. You also
     need to allow incoming packets to port 8080 if you use iptables as a local
     firewall.</p><p>Be careful to place rules like this one early in your
     <span class="emphasis"><em>input</em></span> chain. Such rules must precede any rule that
     accepts the packet, otherwise the redirection won't occur. You can insert
     as many rules as required if your server needs to listen on multiple
     ports, as for HTTPS.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="configuring-jetty-setuid-feature"></a>Configuring Jetty's SetUID Feature</h3></div></div></div><p><a class="link" href="http://en.wikipedia.org/wiki/Setuid" target="_top">SetUID</a> is
     a technique that uses Unix-like file system access right to allow users to
     run an executable that would otherwise require higher privileges.</p><p>Jetty's SetUID module allows you to run Jetty as a normal user even
     when you need to run Jetty on port 80 or 443.</p><p>To use it with the jetty distribution:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Ensure that you have the http.mod (and <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS &amp; HTTP2">https.mod</a> if you are using
         SSL) <a class="link" href="startup-modules.html" title="Managing Startup Modules">modules enabled</a> for the
         <a class="link" href="quickstart-running-jetty.html#creating-jetty-base" title="Creating a new Jetty Base">base</a> you are using. The
         http.mod is enabled by default in the distribution, while the <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS &amp; HTTP2">https.mod</a> is only enabled
         in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a>
         directory.</p></li><li class="listitem"><p>Ensure that you have <a class="link" href="quickstart-running-jetty.html#quickstart-changing-jetty-port" title="Changing the Jetty Port">changed the http port</a>
         to 80 (and <a class="link" href="quickstart-running-jetty.html#quickstart-changing-https-port" title="Changing the Jetty HTTPS Port">changed the
         https port</a> to 443 if you are using SSL).</p></li><li class="listitem"><p>Enable the setuid.mod module:</p><div class="screenexample"><pre class="screen"># java -jar start.jar --add-to-start=setuid</pre></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="icon-asterisk"></i> Note</h3><p>The --add-to-start command will enable the setuid module for
             this and all subsequent executions of jetty. There are other ways
             to enable the module, such as just for this execution. For more
             information on the alternatives see the section on <a class="link" href="startup-modules.html" title="Managing Startup Modules">Managing Startup Modules</a>.</p></div></li><li class="listitem"><p>Edit the configuration for the setuid module to substitute the
         userid and groupid of the user to switch to after starting. If you
         used the <code class="code">--add-to-start</code> command, this configuration is in
         the <code class="code">start.ini</code> file. If you used the
         <code class="code">--add-to-startd</code> command instead, this configuration is in
         the <code class="code">start.d/setuid.ini </code>file instead. Here are the lines
         to configure:</p><div class="informalexample"><script type="syntaxhighlighter" class="brush: plain;toolbar: false">
           <![CDATA[jetty.startServerAsPrivileged=false
 jetty.username=foo
 jetty.groupname=bar
 jetty.umask=002
 ]]>
         </script></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="icon-asterisk"></i> Note</h3><p>As well as opening the connectors as root, you can also have
             jetty start the Server as root before changing to the non-root
             user.</p></div></li><li class="listitem"><p>You now need a native code library to do the user switching.
         This code is hosted as part of the Jetty ToolChain project and it is
         released independently from Jetty itself. You can find the source code
         <a class="link" href="https://git.eclipse.org/c/jetty/org.eclipse.jetty.toolchain.git" target="_top">here</a>
         in the <a class="link" href="https://git.eclipse.org/c/jetty/org.eclipse.jetty.toolchain.git/tree/jetty-setuid" target="_top">jetty-setuid</a>
         project. Build it locally, which will produce a native library
         appropriate for the operating system:</p><div class="screenexample"><pre class="screen"># mvn clean install</pre></div><p>If you built on a linux
         machine you will find the native library in
         <code class="code">jetty-setuid/libsetuid-linux/target/libsetuid-linux.so</code>.
         If you built on a different operating system you will find the library
         in a different subdirectory, with the name containing the name of the
         operating system. You might like to copy this file into your jetty
         distribution's lib directory.</p></li><li class="listitem"><p>Start jetty as the root user in your base directory, providing
         the location of the native library to java. Here's an example of how
         to do it on the command line, assuming were are in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory:</p><div class="screenexample"><pre class="screen"># sudo java -Djava.library.path=libsetuid-linux -jar $JETTY_HOME/start.jar</pre></div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-solaris10-user-rights-management-framework"></a>Using the Solaris 10 User Rights Management Framework</h3></div></div></div><p>Solaris 10 provides a User Rights Management framework that can
     permit users and processes superuser-like abilities:</p><div class="screenexample"><pre class="screen">usermod -K defaultpriv=basic,net_privaddr myself</pre></div><p>Now the <code class="code">myself</code> user can bind to port 80.</p><p>Refer to the <a class="link" href="http://docs.oracle.com/cd/E23823_01/html/816-4557/prbactm-1.html#scrolltoc" target="_top">
     Solaris 10</a> and <a class="link" href="http://docs.oracle.com/cd/E23824_01/html/821-1456/prbactm-1.html#scrolltoc" target="_top">
     Solaris 11 Security Services documentation</a> for more
     information.</p></div></div><script type="text/javascript">
       SyntaxHighlighter.all()
     </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="configuring-connectors.html"><i class="icon-chevron-up"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="configuring-security.html">Next <i class="icon-chevron-right"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Configuring SSL/TLS&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="icon-home"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Chapter&nbsp;7.&nbsp;Configuring Security</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
             See an error or something missing?
             <span class="callout"><a href="http://github.com/jetty-project/jetty-documentation">Contribute to this documentation at
                 <span class="website"><i class="icon-github"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2015-06-15T13:18:16-05:00)</i></span></div></p><script xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" type="text/javascript">
   var _gaq = _gaq || [];
   _gaq.push(['_setAccount', 'UA-1149868-7']);
   _gaq.push(['_trackPageview']);

   (function() {
     var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
     ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
     var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
   })();
     </script></body></html>
	<html><head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>Setting Port 80 Access for a Non-Root User</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL-NS Stylesheets V1.76.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty : The Definitive Reference"><link rel="up" href="configuring-connectors.html" title="Chapter 6. Configuring Jetty Connectors"><link rel="prev" href="configuring-ssl.html" title="Configuring SSL/TLS"><link rel="next" href="configuring-security.html" title="Chapter 7. Configuring Security"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><script type="text/javascript" src="js/shCore.js"></script><script type="text/javascript" src="js/shBrushJava.js"></script><script type="text/javascript" src="js/shBrushXml.js"></script><script type="text/javascript" src="js/shBrushBash.js"></script><script type="text/javascript" src="js/shBrushJScript.js"></script><script type="text/javascript" src="js/shBrushSql.js"></script><script type="text/javascript" src="js/shBrushProperties.js"></script><script type="text/javascript" src="js/shBrushPlain.js"></script><link type="text/css" rel="stylesheet" href="css/shCore.css"><link type="text/css" rel="stylesheet" href="css/shThemeEclipse.css"><link type="text/css" rel="stylesheet" href="css/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
	Version: 9.3.0.v20150612</span></td><td style="width: 50%"><script type="text/javascript"> (function() {
	var cx = '016459005284625897022:obd4lsai2ds';
	var gcse = document.createElement('script');
	gcse.type = 'text/javascript';
	gcse.async = true;
	gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
	'//www.google.com/cse/cse.js?cx=' + cx;
	var s = document.getElementsByTagName('script')[0];
	s.parentNode.insertBefore(gcse, s);
	})();
	</script><gcse:search></gcse:search></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Setting Port 80 Access for a Non-Root User</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="icon-chevron-left"></i> Previous</a> </td><th width="60%" align="center">Chapter 6. Configuring Jetty Connectors<br><a accesskey="p" href="index.html"><i class="icon-home"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="configuring-security.html">Next <i class="icon-chevron-right"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
	<span class="website">www.webtide.com</span></a></h5><p>
	private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
	scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
	</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="setting-port80-access"></a>Setting Port 80 Access for a Non-Root User</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="setting-port80-access.html#using-ipchains">Using ipchains</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-iptables">Using iptables</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#configuring-jetty-setuid-feature">Configuring Jetty's SetUID Feature</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-solaris10-user-rights-management-framework">Using the Solaris 10 User Rights Management Framework</a></span></dt></dl></div><p>On Unix-based systems, port 80 is protected; typically only the
	superuser root can open it. For security reasons, it is not desirable to run
	the server as root. This page presents several options to access port 80 as
	a non-root user, including using ipchains, iptables, Jetty's SetUID feature,
	xinetd, and the Solaris 10 User Rights Management Framework.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-ipchains"></a>Using ipchains</h3></div></div></div><p>On some Linux systems you can use the <span class="emphasis"><em>ipchains
	REDIRECT</em></span> mechanism to redirect from one port to another inside
	the kernel (if ipchains is not available, then usually iptables
	is):</p><div class="screenexample"><pre class="screen"># /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080</pre></div><p>This command instructs the system as follows: "Insert into the
	kernel's packet filtering the following as the first rule to check on
	incoming packets: if the protocol is TCP and the destination port is 80,
	redirect the packet to port 8080". Be aware that your kernel must be
	compiled with support for ipchains (virtually all stock kernels are). You
	must also have the ipchains command-line utility installed. You can run
	this command at any time, preferably just once, since it inserts another
	copy of the rule every time you run it.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-iptables"></a>Using iptables</h3></div></div></div><p>On many Linux systems you can use the iptables REDIRECT mechanism to
	redirect from one port to another inside the kernel (if iptables is not
	available, then usually ipchains is).</p><p>You need to add something like the following to the startup scripts
	or your firewall rules:</p><div class="screenexample"><pre class="screen"># /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080</pre></div><p>The underlying model of iptables is different from ipchains, so the
	forwarding normally happens only to packets originating off-box. You also
	need to allow incoming packets to port 8080 if you use iptables as a local
	firewall.</p><p>Be careful to place rules like this one early in your
	<span class="emphasis"><em>input</em></span> chain. Such rules must precede any rule that
	accepts the packet, otherwise the redirection won't occur. You can insert
	as many rules as required if your server needs to listen on multiple
	ports, as for HTTPS.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="configuring-jetty-setuid-feature"></a>Configuring Jetty's SetUID Feature</h3></div></div></div><p><a class="link" href="http://en.wikipedia.org/wiki/Setuid" target="_top">SetUID</a> is
	a technique that uses Unix-like file system access right to allow users to
	run an executable that would otherwise require higher privileges.</p><p>Jetty's SetUID module allows you to run Jetty as a normal user even
	when you need to run Jetty on port 80 or 443.</p><p>To use it with the jetty distribution:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Ensure that you have the http.mod (and <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS & HTTP2">https.mod</a> if you are using
	SSL) <a class="link" href="startup-modules.html" title="Managing Startup Modules">modules enabled</a> for the
	<a class="link" href="quickstart-running-jetty.html#creating-jetty-base" title="Creating a new Jetty Base">base</a> you are using. The
	http.mod is enabled by default in the distribution, while the <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS & HTTP2">https.mod</a> is only enabled
	in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a>
	directory.</p></li><li class="listitem"><p>Ensure that you have <a class="link" href="quickstart-running-jetty.html#quickstart-changing-jetty-port" title="Changing the Jetty Port">changed the http port</a>
	to 80 (and <a class="link" href="quickstart-running-jetty.html#quickstart-changing-https-port" title="Changing the Jetty HTTPS Port">changed the
	https port</a> to 443 if you are using SSL).</p></li><li class="listitem"><p>Enable the setuid.mod module:</p><div class="screenexample"><pre class="screen"># java -jar start.jar --add-to-start=setuid</pre></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="icon-asterisk"></i> Note</h3><p>The --add-to-start command will enable the setuid module for
	this and all subsequent executions of jetty. There are other ways
	to enable the module, such as just for this execution. For more
	information on the alternatives see the section on <a class="link" href="startup-modules.html" title="Managing Startup Modules">Managing Startup Modules</a>.</p></div></li><li class="listitem"><p>Edit the configuration for the setuid module to substitute the
	userid and groupid of the user to switch to after starting. If you
	used the <code class="code">--add-to-start</code> command, this configuration is in
	the <code class="code">start.ini</code> file. If you used the
	<code class="code">--add-to-startd</code> command instead, this configuration is in
	the <code class="code">start.d/setuid.ini </code>file instead. Here are the lines
	to configure:</p><div class="informalexample"><script type="syntaxhighlighter" class="brush: plain;toolbar: false">
	<![CDATA[jetty.startServerAsPrivileged=false
	jetty.username=foo
	jetty.groupname=bar
	jetty.umask=002
	]]>
	</script></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="icon-asterisk"></i> Note</h3><p>As well as opening the connectors as root, you can also have
	jetty start the Server as root before changing to the non-root
	user.</p></div></li><li class="listitem"><p>You now need a native code library to do the user switching.
	This code is hosted as part of the Jetty ToolChain project and it is
	released independently from Jetty itself. You can find the source code
	<a class="link" href="https://git.eclipse.org/c/jetty/org.eclipse.jetty.toolchain.git" target="_top">here</a>
	in the <a class="link" href="https://git.eclipse.org/c/jetty/org.eclipse.jetty.toolchain.git/tree/jetty-setuid" target="_top">jetty-setuid</a>
	project. Build it locally, which will produce a native library
	appropriate for the operating system:</p><div class="screenexample"><pre class="screen"># mvn clean install</pre></div><p>If you built on a linux
	machine you will find the native library in
	<code class="code">jetty-setuid/libsetuid-linux/target/libsetuid-linux.so</code>.
	If you built on a different operating system you will find the library
	in a different subdirectory, with the name containing the name of the
	operating system. You might like to copy this file into your jetty
	distribution's lib directory.</p></li><li class="listitem"><p>Start jetty as the root user in your base directory, providing
	the location of the native library to java. Here's an example of how
	to do it on the command line, assuming were are in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory:</p><div class="screenexample"><pre class="screen"># sudo java -Djava.library.path=libsetuid-linux -jar $JETTY_HOME/start.jar</pre></div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-solaris10-user-rights-management-framework"></a>Using the Solaris 10 User Rights Management Framework</h3></div></div></div><p>Solaris 10 provides a User Rights Management framework that can
	permit users and processes superuser-like abilities:</p><div class="screenexample"><pre class="screen">usermod -K defaultpriv=basic,net_privaddr myself</pre></div><p>Now the <code class="code">myself</code> user can bind to port 80.</p><p>Refer to the <a class="link" href="http://docs.oracle.com/cd/E23823_01/html/816-4557/prbactm-1.html#scrolltoc" target="_top">
	Solaris 10</a> and <a class="link" href="http://docs.oracle.com/cd/E23824_01/html/821-1456/prbactm-1.html#scrolltoc" target="_top">
	Solaris 11 Security Services documentation</a> for more
	information.</p></div></div><script type="text/javascript">
	SyntaxHighlighter.all()
	</script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="icon-chevron-left"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="configuring-connectors.html"><i class="icon-chevron-up"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="configuring-security.html">Next <i class="icon-chevron-right"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Configuring SSL/TLS </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="icon-home"></i> Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Configuring Security</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
	See an error or something missing?
	<span class="callout"><a href="http://github.com/jetty-project/jetty-documentation">Contribute to this documentation at
	<span class="website"><i class="icon-github"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2015-06-15T13:18:16-05:00)</i></span></div></p><script xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" type="text/javascript">
	var _gaq = _gaq \|\| [];
	_gaq.push(['_setAccount', 'UA-1149868-7']);
	_gaq.push(['_trackPageview']);

	(function() {
	var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
	ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
	var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
	})();
	</script></body></html>