> I have two cosiderations about your Tomcat-nodody advices:
>
> 1) There is no tomcat4.conf in conf directory.
>
> 2) Your advice is to do
> - chown nobody:nobody /usr/local/tomcat1
> - su -l -c /usr/local/tomcat1/bin/startup.sh
>
> There is a big problem with this procedure, in my opinion: the problem
> is a security problem. We know that Apache runs as nobody, but the
> directories are root:root. The father process forks child processes
> which are nobody, so if someone tries to execute a cgi, this has no
> privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1",
> all directories are nobody, so anyone can write e do everything.
>
> I'd like starting tomcat as apache, with the same security policy.
First of all, you need to know what you'll be protecting and from whom. I'd suggest
user "tomcat" and group "tomcat". The vital directories should be owned by
"root:tomcat". The files should be accessable to tomcat user (which should be in group
tomcat).
chown -R root:tomcat $CATALINA_HOME
find $CATALINA_HOME -type f -exec chmod 640 {} \;
find $CATALINA_HOME -type d -exec chmod 750 {} \;
chmod 750 $CATALINA_HOME/bin/*.sh
This way, only members of "tomcat" group can access those files. They should not be
world readable, especially "./conf/", since you could be storing sensitive data there
(database connection parameters, passwords, etc.). After this, you should be able to
run Tomcat under user "tomcat".
One word of caution: only root can open ports below TCP:1024. So, setting up a HTPP
connector on port 80 will fail. 8080 and WARP should be fine.
This idea can be developed further, with virtual hosts placed in separate user
accounts, both for Apache and Tomcat. The question of access will arise, of course.
Owners of virtual hosts shouldn't be in "tomcat" group. A directory where they would
deploy their web applications should be accessable by Tomcat, but they should be able
to upload content to it as well.
Nix.
