Yeah... this is a good point!
chmod 640 /etc/tomcat7/tomcat-users.xml
I guess it would be better to revoke read right of the configuration files
('/etc/tomee/*') for 'other' users.
Regarding the files owners, I will think more about that before more
details, but at first site it looks unnecessary. In the other packages,
root owns the files and they have a new group (if any). IMO, it looks
better.
[]s,
Thiago.
On Wed, Mar 26, 2014 at 2:20 PM, Romain Manni-Bucau
<[email protected]>wrote:
> well I get the point but isn't it better to keep apachetomee?
>
> edit:
>
> tomcat does:
>
> chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/*
> chmod 640 /etc/tomcat7/tomcat-users.xml
> chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps
> /var/lib/tomcat7/common /var/lib/tomcat7/server
> /var/lib/tomcat7/shared
> chmod 775 /var/lib/tomcat7/webapps
> chmod 775 /etc/tomcat7/Catalina /etc/tomcat7/Catalina/localhost
>
> so in between ;)
>
> BTW here is tomcat7 package
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/tomcat7/trusty/
>
> we should just do the same I guess
> Romain Manni-Bucau
> Twitter: @rmannibucau
> Blog: http://rmannibucau.wordpress.com/
> LinkedIn: http://fr.linkedin.com/in/rmannibucau
> Github: https://github.com/rmannibucau
>
>
>
> 2014-03-26 18:55 GMT+01:00 Thiago Veronezi <[email protected]>:
> > Hi,
> >
> > root is the owner of those files; apachetomee is the group. The installer
> > creates an apachetomee user with the apachetomee group.
> > The init.d/tomee script runs tomee with the apachetomee user.
> >
> > I'm reproducing what I have in my local /var directory...
> >
> > tveronezi@botodev:/var$ ls -l
> > total 44
> > drwxr-xr-x 2 root root 4096 Mar 23 07:58 backups
> > drwxr-xr-x 18 root root 4096 Apr 3 2013 cache
> > drwxrwsrwt 2 root whoopsie 4096 Mar 23 07:35 crash
> > drwxr-xr-x 2 root root 4096 Feb 13 2013 games
> > drwxr-xr-x 61 root root 4096 Mar 26 13:20 lib
> > drwxrwsr-x 2 root staff 4096 Apr 19 2012 local
> > lrwxrwxrwx 1 root root 9 Mar 26 10:01 lock -> /run/lock
> > drwxr-xr-x 15 root root 4096 Mar 26 13:20 log
> > drwxrwsr-x 2 root mail 4096 Feb 13 2013 mail
> > drwxr-xr-x 2 root root 4096 Feb 13 2013 opt
> > lrwxrwxrwx 1 root root 4 Mar 26 10:01 run -> /run
> > drwxr-xr-x 9 root root 4096 Oct 4 07:45 spool
> > drwxrwxrwt 2 root root 4096 Mar 26 13:38 tmp
> > tveronezi@botodev:/var$
> >
> >
> > []s,
> > Thiago.
> >
> >
> >
> > On Wed, Mar 26, 2014 at 1:48 PM, Romain Manni-Bucau
> > <[email protected]>wrote:
> >
> >> Hmm root? Generally you are not root but a specific or "middle" user,
> how
> >> does tomcat?
> >> ---------- Message transféré ----------
> >> De : <[email protected]>
> >> Date : 26 mars 2014 18:34
> >> Objet : svn commit: r1581959 -
> >>
> /tomee/tomee/trunk/tomee/tomee-deb/src/main/resources/control/postinst.sh
> >> À : <[email protected]>
> >>
> >> Author: tveronezi
> >> Date: Wed Mar 26 17:33:45 2014
> >> New Revision: 1581959
> >>
> >> URL: http://svn.apache.org/r1581959
> >> Log:
> >> improving security
> >>
> >> Modified:
> >>
> >> tomee/tomee/trunk/tomee/tomee-deb/src/main/resources/control/postinst.sh
> >>
> >> Modified:
> >> tomee/tomee/trunk/tomee/tomee-deb/src/main/resources/control/postinst.sh
> >> URL:
> >>
> >>
> http://svn.apache.org/viewvc/tomee/tomee/trunk/tomee/tomee-deb/src/main/resources/control/postinst.sh?rev=1581959&r1=1581958&r2=1581959&view=diff
> >>
> >>
> ==============================================================================
> >> ---
> >> tomee/tomee/trunk/tomee/tomee-deb/src/main/resources/control/postinst.sh
> >> (original)
> >> +++
> >> tomee/tomee/trunk/tomee/tomee-deb/src/main/resources/control/postinst.sh
> >> Wed Mar 26 17:33:45 2014
> >> @@ -9,9 +9,10 @@ ln -sf /var/lib/tomee/${tomeeVersion}/we
> >> groupadd apachetomee
> >> useradd apachetomee -g apachetomee
> >>
> >> -chown -R apachetomee:apachetomee /usr/share/tomee/${tomeeVersion}
> >> -chown -R apachetomee:apachetomee /var/log/tomee/${tomeeVersion}
> >> -chown -R apachetomee:apachetomee /var/lib/tomee/${tomeeVersion}
> >> +chown -R root:apachetomee /var/log/tomee/${tomeeVersion}
> >> +chown -R root:apachetomee /var/lib/tomee/${tomeeVersion}
> >> +chmod -R g+w /var/log/tomee/${tomeeVersion}
> >> +chmod -R g+w /var/lib/tomee/${tomeeVersion}
> >>
> >> update-rc.d tomee defaults
> >> echo "Reboot your machine or run 'service tomee start' to start the
> Apache
> >> TomEE server (version: ${tomeeVersion})"
> >> \ No newline at end of file
> >>
>
