On Linux do people chroot a Java Web Application or use IPTables and run as non-root?

Question

When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the server as:

1. As root in hopefully a chroot jail if you can (haven't gotten this working yet)
2. As a non root user and then use IPTables to forward port 80 to some other port (>1024) that the container is running on
3. Both: As a non root user, IPTables, and chroot jail.

The problem with opt. 1 is the complexity of chrooting and still the security problems of running root.The problem with opt. 2 is that each Linux distro has a different way of persisting IPTables. Option 3 of course is probably idea but very hard to setup.

Finally every distro has the annoying differences in daemon scripts.

What do people find as the best distro agnostic solution and are there resources to show how to do this?

EDIT: I would rather not run Apache in front of the servlet container because the site is mostly dynamic and total memory footprint is important (hosting costs).

Answer 1

Run as non-root and use a standard webserver (apache) or a lightweight one (such as lighttpdor nginx) on port 80 to redirect to your instance.

This has the advantage that the standard webserver can serve static content, reducing the load on your web application. You could even have it reverse-proxy and cache the web application traffic.

Answer 2

Check out authbind, which is designed specifically to allow non-root users controlled access to privileged ports.

This way, you can effectively escalate your Tomcat user's privileges to just the root powers you want (open privileged ports) without giving your webapp process unnecessary powers to wreak havoc.