使用非 root 用户 sudo-ing tomcat 的启动是否与以 root 用户身份运行相同? [英] Is sudo-ing tomcat's startup with a non-root user the same as running it as root?

问题描述

我了解到以 root 用户身份运行 Tomcat 是一个安全问题.我想让 Tomcat 监听 80 端口，这是 Centos 中的一个特权端口.我创建了一个用户并将他添加到轮组.该用户使用 sudo sh startup.sh 启动 tomcat.我绝不是基于 Unix 的操作系统的专家，所以我仍然感到困惑.如果我以 root 用户身份启动 tomcat，我是否已经暴露在相同的漏洞中?

I've read that it is a security issue to run Tomcat as the root user. I want Tomcat to listen on port 80, a privileged port in Centos. I've created a user and added him to the wheel group. This user starts tomcat up with sudo sh startup.sh. I'm in no way an expert in unix-based OS's so I'm still confused. Have I have exposed myself to the same vulnerabilities that exist if I were to start tomcat as root?

推荐答案

如果您使用 sudo 调用启动脚本，则您正在以 root 身份运行 tomcat.您是对的，不建议以 root 身份运行 tomcat.非 root 用户无法绑定到端口 80，有一些解决方案可以解决这个问题.一种方法是以非 root 身份运行 tomcat，并使 tomcat 侦听端口 8080.启用防火墙并将朝向端口 80 的请求转发到端口 8080.

If you're using sudo to call start up script you are running tomcat as root. You're right that it's not recommended to run tomcat as root. A non root user can't bind to port 80, and there are some solutions to get around this. One way would be run tomcat as non-root, and make tomcat listen to port 8080. Enable firewall and forward requests headed towards port 80 to port 8080.

service iptables start

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

iptables-save
service iptables restart

这篇关于使用非 root 用户 sudo-ing tomcat 的启动是否与以 root 用户身份运行相同?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！