Jetty Logo
Contact the core Jetty developers at

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery

Chapter 22. Setuid

Table of Contents

Configuring Setuid

Configuring Setuid

On Unix based systems, port 80 is protected and can usually only be opened by the superuser root. As it is not desirable to run the server as root (for security reasons), the solution options are as follows:

  • Start Jetty as the root user, and use Jetty's setuid mechanism to switch to a non-root user after startup.

  • Configure the server to run as a normal user on port 8080 (or some other non protected port). Then, configure the operating system to redirect port 80 to 8080 using ipchains, iptables, ipfw or a similar mechanism.

The latter has traditionally been the solution, however Jetty 9 has Setuid feature.

If you are using Solaris 10, you may not need to use this feature, as Solaris provides a User Rights Management framework that can permit users and processes superuser-like abilities. Please refer to the Solaris documentation for more information.

Configuring the Setuid feature

In the Jetty etc directory you will find the following jetty-setuid.xml file which can be modified to suit your needs.

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "">

<!-- ================================================================ -->
<!-- Configure the Jetty SetUIDServer                                 -->
<!-- This configuration file *must* be specified first in the list of -->
<!-- configuration files and should be used in combination with other -->
<!-- configuration files eg jetty.xml                                 -->
<!-- ================================================================ -->
<Configure id="Server" class="org.eclipse.jetty.setuid.SetUIDServer">
  <Set name="startServerAsPrivileged">false</Set>
  <Set name="umask">2</Set>
  <Set name="username">jetty</Set>
  <Set name="groupname">jetty</Set>
<!-- uncomment to change the limits on number of open file descriptors for root -->
    <Call name="setRLimitNoFiles">
        <New class="org.eclipse.jetty.setuid.RLimit">
          <Set name="soft">20000</Set>
          <Set name="hard">40000</Set>




set this to true if you will start the server up as the root user


the umask setting you would like the process to have, optionally you may remove this line to leave it unchanged.


the name of the user you would like tthe process to run under after starting, set to jetty by default


the name of the group you would like the process to run under after starting, set to jetty by default

Additionally if you would like to set the file descriptor limits in the process you can uncomment the appropriate section above and set the soft and hard values accordingly.

Enabling SetUID on startup

The jetty-setuid.xml file runs as a wrapper around the typical Jetty server configuration so you must set this xml file to be processed before any others. This is already configured yet commented out in the normal start.ini file in the root of the jetty-distribution.

Open the start.ini file and look for the following section:

# Enable SetUID
# To enable setuid you must have the jetty-setuid.xml as the
# first xml file to be processed.
# The default user and group is 'jetty' and if you are
# starting as root you must change the run privledged to true
# OPTIONS=setuid
# etc/jetty-setuid.xml


Uncomment the OPTIONS line which will set the setuid libraries to be loaded when Jetty starts along with the line following which will process the jetty-setuid.xml file when jetty starts up. Take care when modifying this file when the SetUID feature is in play as it MUST be the first xml file to be processed.

Supported Operating Systems

The Setuid feature leverages the the JNI setup with the jvm so part of the feature is C code compiled for the appropriate operating environment. By default we ship with .so files for both Linux and Mac OS X. The code for the entire SetUID feature is located in the Jetty toolchain. The Linux file is built on a release machine, most typically an Ubunutu machine with a fairly standard setup. If the existing distributed binaries do not work you can look to this project and fiddle with the appropriate linker and compiler options until it works.

See an error or something missing? Contribute to this documentation at Github!