starting tomcat 9 under non-root user

Question

Apologies for perhaps a silly question, but I only have little experience with Tomcat (and Linux in general). I have launched a fresh AWS Ubuntu 16.04, installed Java 8 (for our app compatibility requirements) and Tomcat9 (in /opt/tomcat9 folder). I have created a tomcat9 user under which I intend to run Tomcat. I have copied the ssl certificate to /etc/ssl-keystore and set up ssl connector in server.xml

<Connector SSLEnabled="true" keystoreFile="/etc/ssl-keystore/mycert.pfx"
keystorePass="mypassword" port="443" scheme="https" secure="true"
sslProtocol="TLS" maxPostSize="104857600" maxHttpHeaderSize="204800" />

I have changed ownership of the /opt/tomcat9 folder to tomcat9 user:

chown -hR tomcat9: /opt/tomcat9

If I start tomcat using

sudo -u tomcat9 /opt/tomcat9/bin/startup.sh

I am getting this error in catalina.out:

05-Jun-2018 12:42:39.112 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:622)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:645)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.net.SocketException: Permission denied
        at sun.nio.ch.Net.bind0(Native Method)
        at sun.nio.ch.Net.bind(Net.java:433)
        at sun.nio.ch.Net.bind(Net.java:425)
        at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
        at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
        at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:227)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:202)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:939)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:70)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
        ... 13 more

Can you please advise what am I missing or what permission should be added? I have spent a lot of time researching this already (incl. stackoverflow site) and read multiple tutorials but I am unable to find a relevant/useful answer. Thank you very much.

Answer 1

By default non-root users can't bind to privileged low ports. The first 1024 ports are restricted and you are trying to bind to 443.

If you insist on doing it instead of running on port 8080 with a TLS termination proxy try following answers. They suggest setcap to resolve it:

• Is there a way for non-root processes to bind to “privileged” ports on Linux?
• Allow non-root process to bind to port 80 and 443?