Jetty Logo
Version: 9.1.3-SNAPSHOT
Contact the core Jetty developers at www.webtide.com

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery

Chapter 19. Setuid

Table of Contents

Configuring Setuid

Configuring Setuid

On Unix based systems, port 80 is protected and can usually only be opened by the superuser root. As it is not desirable to run the server as root (for security reasons), the solution options are as follows:

  • Start Jetty as the root user, and use Jetty's setuid mechanism to switch to a non-root user after startup.

  • Configure the server to run as a normal user on port 8080 (or some other non protected port). Then, configure the operating system to redirect port 80 to 8080 using ipchains, iptables, ipfw or a similar mechanism.

The latter has traditionally been the solution, however Jetty 9 has Setuid feature.

If you are using Solaris 10, you may not need to use this feature, as Solaris provides a User Rights Management framework that can permit users and processes superuser-like abilities. Please refer to the Solaris documentation for more information.

Note

If the environment variable JETTY_USER is set for the startup process and jetty.sh is used, jetty-setuid will not work! So if you want to use jetty-setuid, make sure JETTY_USER is not set!

Configuring the Setuid feature

In the Jetty etc directory you will find the following jetty-setuid.xml file which can be modified to suit your needs.

Options:

startServerAsPrivileged

set this to true if you will start the server up as the root user

umask

the umask setting you would like the process to have, optionally you may remove this line to leave it unchanged.

username

the name of the user you would like tthe process to run under after starting, set to jetty by default

groupname

the name of the group you would like the process to run under after starting, set to jetty by default

Additionally if you would like to set the file descriptor limits in the process you can uncomment the appropriate section above and set the soft and hard values accordingly.

Enabling SetUID on startup

The jetty-setuid.xml file runs as a wrapper around the typical Jetty server configuration so you must set this xml file to be processed before any others. This is already configured yet commented out in the normal start.ini file in the root of the jetty-distribution.

Open the start.ini file and look for the following section:

Uncomment the OPTIONS line which will set the setuid libraries to be loaded when Jetty starts along with the line following which will process the jetty-setuid.xml file when jetty starts up. Take care when modifying this file when the SetUID feature is in play as it MUST be the first xml file to be processed.

Supported Operating Systems

The Setuid feature leverages the the JNI setup with the jvm so part of the feature is C code compiled for the appropriate operating environment. By default we ship with .so files for both Linux and Mac OS X. The code for the entire SetUID feature is located in the Jetty toolchain. The Linux file is built on a release machine, most typically an Ubunutu machine with a fairly standard setup. If the existing distributed binaries do not work you can look to this project and fiddle with the appropriate linker and compiler options until it works.

See an error or something missing? Contribute to this documentation at Github!(Generated: 2014-04-15T11:43:42-05:00)