Yet Another Blog...

All | Education | General | Installation | Personal | Sun
« Happy Dance Time &... | Main

20060614 Wednesday June 14, 2006

Running Glassfish on Port 80 as Non-root Solaris 10 User

By default, you cannot use ports below 1024 if you are running Glassfish or Sun Java System Application Server (or anything else, for that matter) as non-root Solaris user. Solaris 10 provides role
based access control (RBAC) which makes this rather trivial (although
you'll still need one-time root user access to make it possible).

So, how to do it?

Step 1: login as root user or run su command

Step 2: run following command:

  /usr/sbin/usermod -K defaultpriv=basic,net_privaddr <username>

where <username> is the username you are using to run Glassfish.


That's it :-)

Posted by snjezana ( Jun 14 2006, 01:30:29 PM PDT ) Permalink Comments [4]

Trackback URL: http://blogs.sun.com/Snjezana/entry/running_glassfish_on_port_80
Comments:

Thanks for the tip. I added the new privileges to the "webservd" user via usermod and found that I could not bind to port 80 via SMF. I ended up needing to specify the new privileges in my manifest. Perhaps, those savvy with SMF know this already, but alas I am new to it. The good news, it didn't take me that long to figure it out. Here is my working start method for app server.

<exec_method type='method'
             name='start'
             exec='/app/appserv/bin/asadmin start-domain domain1'
             timeout_seconds='60'>
    <method_context>
        <method_credential user='webservd'
                 group='webservd'
                 privileges='basic,net_privaddr'/>
    </method_context>
</exec_method>

Posted by Matthew Montgomery on June 26, 2006 at 02:07 PM PDT #

Thank you for your comment! Using net_privaddr privilege in the context of SMF integration was (somewhat) covered in Kedar Mhaswade's blog entry. In any case I am glad you figured it out :-)

Posted by Snjezana on June 27, 2006 at 02:53 PM PDT #

Is there a way to accomplish the same thing on Mac OS X?

Posted by Bob Haupt on July 08, 2006 at 12:12 PM PDT #

Reply to Bob Haupt: I am definitely not Mac OS X expert, but Google returned these:
http://developer.apple.com/macosx/launchd.html
Quote: "Of particular interest is that launchd can run a job as a non-root user, but still bind it to a privileged port. This removes one common reason to run daemons as root."
Also:
http://forum.textdrive.com/viewtopic.php?pid=43297
You might want to check it out and see if this can fit your purpose, but as far as I can tell it is not really the equivalent of Solaris RBAC.

Posted by Snjezana on July 10, 2006 at 11:33 AM PDT #

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed

Valid HTML! Valid CSS!

This is a personal weblog, I do not speak for my employer.