Runas different user? Only get ignition working as root

I have 7.8.2 install on RedHat/Oracle 7.2 with Oracle java 1.8.0_73

I created user account and group 'ignition' and set the ignition.sh to "RUN_AS_USER=ignition", everything worked fine. But we won't use the default SSL port of 8043, so I used the guc command to change the SSL port (./gwcmd --sslport 443).

Now ignition will NOT run at all without changing the runasuser to "root". In the log I get

netstat -tulpn shows me that no, port 443 is not in use. I did come across this -

support.inductiveautomation.com ... 0-in-linux

Really really bad idea to be running as root, same as running anything on Windows with admin privileges. I do hope this is just a configuration error

Ports below 1024 are protected in linux and most *nix families – they can only be listened to by root. I believe the permission can be delegated, but I don’t remember which control it is. I’m sure Google can help :slight_smile:

I think what you’ll end up doing is running on 8088 and 8043 and adding an iptables rule that redirects 80 and 443.

2 Likes

Ubuntu’s privbind utility looks interesting. I’ve also run apache on :80 as a transparent proxy to :8088 to allow name-based vhosts to coexist on one machine. Never figured out what I’d need for that to work with :443 as well.

This was my solution, simple redirect from 443 to 8043, worked like a charm. Changed Ignition to non-root user, and everything working fine now. Thanks for the help eveyrone

We normally use Linux and are supporting an Ignition system developed in Windows. The system is set up to use ports 80 and 443 but of course this gives us problems in Linux as we’d rather not run as root.

I’ve read that systemd can handle opening up privileged ports and handing them to unprivileged services. Anyone have experience of this and know how to integrate this with the ignition startup script?

On my Linux server that is running Ignition I did the following:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8043
sudo iptable-save

The above was from https://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/

2 Likes