Solved by following the excellent How To: Build A Read-Only Linux System.
From one of the two little scripts making the magic (uses an aufs union):
ro_mount_point="${rootmnt%/}.ro"
rw_mount_point="${rootmnt%/}.rw"
# Create mount points for the read-only and read/write layers:
mkdir "${ro_mount_point}" "${rw_mount_point}"
# Move the already-mounted root filesystem to the ro mount point:
mount --move "${rootmnt}" "${ro_mount_point}"
# Mount the read/write filesystem:
mount -t tmpfs root.rw "${rw_mount_point}"
# Mount the union:
mount -t aufs -o "dirs=${rw_mount_point}=rw:${ro_mount_point}=ro" root.union "${rootmnt}"
# Correct the permissions of /:
chmod 755 "${rootmnt}"
Results: system protected and apps can write their stuff (in RAM).
If I reboot without "committing" all the changes on the system will be lost, but if I need something to stay permanent, I can remount the partition read-write (this time r/w means "on disk" not "on RAM"), do the "commit" and remount the partition as read-only.
Scripts are so elegant that I can also switch between "protected" (for production) or "unprotected" (for development) modes by choosing its correct labelled entry in GRUB.
Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
Best Answer
Ended up getting in to the running system command line with root access via a serial console cable. Found nowhere in documentation, but with a little Cisco, HP, etc. console cable experience, and @Gilles pointing it out, gave me enough motivation to work on it and get it done.
EDIT: Although I don't have access to the system anymore to test, I believe the method of editing the
/etc/shadow
would have worked out:http://geekswing.com/geek/resetting-root-password-on-a-linux-system-using-clonezilla/