Allow specific linux user to bind to port 443

Question

I am in charge of setting up a JBoss web application that runs over SSL, thus should be accessible over port 443.

Of course, it can be started up by user with root privileges, but that is something I'd like to avoid. I'd like to run it by non-privileged user so I can strictly control everything this application does and give no more access than needed.

However, the problem is that non-privileged users can not bind to <1024 ports. I am aware of the reasons why this is so by design, however, this security principle does not let me to practice good security with my JBoss application.

What is the best way to solve this? I'd certainly like to avoid an ugly solution like binding to port 8443 instead.

Answer 1

I'm working on a similar issue lately trying to get some server-daemons to run as their own users rather than having to do the ever-frightening sudo ./startup.sh...

If you have any free ports whatsoever, you might designate one to route traffic where you actually want it. Without hitting the books for you here, I think you may be able to get what you want in this case by configuring IPTABLES as root to route a non-privileged port to the one you want to use, or by using authbind if you can get it for your system, either by compiling or via yum/rpm/apt-get/whatever.

If you search around for answers on problems with using e.g. port 80 (the default web-traffic port you probably used to load this page), you'll find a good number of solutions. For example this one about getting Tomcat to run on port 80 instead of its default 8080.