I am running most of my Java applications with Java Service Wrapper on Ubuntu. Most of these applications can run on unprivileged ports above 1024, e.g. Tomcats running behind an Apache http reverse proxy or the Openfire XMPP server that uses ports above 1024 by default. However there are exceptions like the LDAP server ApacheDS or Tomcats that do not require the features of httpd in front of them.
If you want to run Java applications on privileged ports below 1024 there are several options you can choose from:
- Run the application as root (a very bad idea in terms of security)
- Use POSIX File Capabilities (doesn’t work with Sun JDK due to Bug 6919633)
- Use iptables with NAT (works but is clumsy)
- Use authbind
To use authbind follow these steps:
Step 1: Install and configure authbind
Install authbind from the Ubuntu repository:
# aptitude install authbind
For each port your application should be able to bind to create a file in /etc/authbind/byport and make in executable by the user that runs your application. For ApacheDS I did the following:
# cd /etc/authbind/byport # touch 389 636 # chown apacheds:apacheds 389 636 # chmod 700 389 636
This results in the following files:
# ls -l /etc/authbind/byport/ total 0 -rwx------ 1 apacheds apacheds 0 2010-05-04 21:24 389 -rwx------ 1 apacheds apacheds 0 2010-05-04 21:24 636
More information on access control is available in authbind (1).
Step 2: Update wrapper.conf
Authbind works by overloading the bind function in libc. This is done by setting the environment variable LD_PRELOAD. If you are using Java Service Wrapper the easiest way to do this is to add the following line to your wrapper.conf:
set.LD_PRELOAD=/usr/lib/authbind/libauthbind.so.1
As authbind only supports IPv4 you must prevent your application from binding to the IPv6 port as well. This can be achieved by setting the system property java.net.preferIPv4Stack in wrapper.conf:
wrapper.java.additional.1=-Djava.net.preferIPv4Stack=true
That’s it!
This approach works with any Java application and is not limited to ApacheDS. Have a look at A Better Tomcat for Ubuntu and Debian by MuleSource to see how they are using authbind without Java Service Wrapper to make Tomcat run on standard HTTP ports.
Related posts: