0

The first time when I tried to run SonarQube with root user this fails. Searching in internet I find that the new Sonar should be execute by a non-root user. I created the user sonar with the folow command useradd -m -s /bin/bash sonar and I executed chmod -R 777 sonaqube-7.0. Then I loggin with sonar user: sudo su sonar. When I execute ./sonar.sh console all works fine. But when I change the port by default 9000 to port 80, this fails. Using the command netstat -plunt I check if the port 80 is in use, but the only ports that I use is 22 (sshd), 5432 (postgres) and 25 (exim4).I thinks that this happed because the user sonar has not permission to use the port 80. How cant I use the port 80 with SonarQube?

My current Operating system is debian 9

Reinier Hernández
  • 428
  • 1
  • 6
  • 22
  • Possible duplicate of [Change port of SonarQube to 80](https://stackoverflow.com/questions/34259777/change-port-of-sonarqube-to-80) – Jamie Ridding Apr 13 '18 at 14:26
  • I already read it but I think is not good idea use nginx or apache to proxy from port 80 to 9000 if this can by done using the sonar config file – Reinier Hernández Apr 13 '18 at 14:28
  • 1
    Unfortunately, you **cannot** run programs on port =< 1024 as a non-root user; it is made deliberately impossible by the developers of most Linux distributions. More details will be in an answer below. – Jamie Ridding Apr 13 '18 at 14:29

2 Answers2

2

Your current inability use SonarQube via port 80 is actually due to a limitation provided by nearly all Linux distributions: privileged ports.

All ports below 1024 cannot be listened on by programs executed by non-root users — that is, only the user "root" may run programs that run on these ports. This is to provide assurance that when you connect to an application running on that port, the application is "the real thing" and not a fake put up by a hacker.

Because SonarQube does not allow you to execute it as root, proxying port 80 to a port that is above 1024 that SonarQube is executing on is the only way to get around this limitation.

Jamie Ridding
  • 386
  • 2
  • 11
1

Exists some ways to allow non-root user use the port 80 and 433, using iptables to redirect the port petitions, CAP_NET_BIND_SERVICE and authbind. The way more easy isauthbind.

Use authbind to grant one-time access, with finer user/group/port control:

The authbind (man page) tool exists precisely for this.

  1. Install authbind using your favorite package manager.

  2. Configure it to grant access to the relevant ports, e.g. to allow 80 and 443 from all users and groups:

    sudo touch /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 777 /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/443

  3. Now execute your command via authbind (optionally specifying --deep or other arguments, see the man page):

    authbind --deep /path/to/binary command line args

    E.g.

    authbind --deep java -jar SomeServer.jar

This option grants trust to the user/group and provides control over per-port access but, AFAIK, supports only IPv4.

These are the links that I used to document me:

  1. allow non-root process to bind to port 80 and 443
  2. Is there a way for non-root processes to bind to "privileged" ports on Linux?
  3. how to run a server on port 80 as a normal user on linux
Reinier Hernández
  • 428
  • 1
  • 6
  • 22