Thanks Jason and Bob this was very helpful. On Thu, Jul 28, 2016 at 1:01 PM, gerald thomas <gerald17...@gmail.com> wrote:
> Noted!!! > Collins can you correct as advice for security reasons. > > On Jul 28, 2016 9:57 AM, "Bob Jolliffe" <bobjolli...@gmail.com> wrote: > >> The reason why it is a risk is that if the web application gets >> compromised then it is possible that an attacker gets access to the >> machine with the privileges of the user running tomcat. >> >> If you scan back through the lists you will remember there was just >> such a problem in December 2013 where a vulnerability in the Struts >> library caused a number of servers to be hacked. The result was the >> attacker was able to execute arbitrary code as the user running >> tomcat. So this is not an abstract thing - it has happened and >> (despite eternal vigilance) it can happen again. >> >> So it is really important that the user running the tomcat service (or >> any other for that matter) has constrained privileges which allow it >> to do what it needs to do and nothing else. >> >> Having said that, running tomcat as root is distressingly common. The >> problem is that having done it once, the log files and any files which >> tomcat writes are owned by root and so the only way people have to >> restart the service is to do so as root. I can't count the number of >> servers I have seen doing this. >> >> The correct solution, as Jason points out, is to stop the service and >> then recursively change the ownership of all files and directories >> used by the instance to the user which has been created to run the >> service. Then startup again as that user. >> >> Note that (because this was such a common problem) the dhis2-startup >> command used in dhis2-tools will refuse to run as root and ensures >> that the instance is started under the correct user. >> >> On 28 July 2016 at 10:34, gerald thomas <gerald17...@gmail.com> wrote: >> > Dear Jason, >> > Bob always tell me it is a security risk but I was trying to figure out >> > Collins issue. Thanks again for the information. >> > >> > >> > On Jul 28, 2016 9:13 AM, "Jason Pickering" <jason.p.picker...@gmail.com >> > >> > wrote: >> >> >> >> Hi Collins and Gerald, >> >> >> >> You should not execute "sudo ./startup.sh" as this means your Tomcat >> will >> >> run as the root user, which is generally a very bad idea. >> >> >> >> From the error, it looks like the user which owns the Tomcat directory >> >> does not actually have access to the logs. So you should "chown" all >> of the >> >> files to that user, and then start Tomcat up as a non-privileged user >> with >> >> something like "sudo -u dhis ./startup.sh". >> >> >> >> Regards, >> >> Jason >> >> >> >> >> >> >> >> >> >> On Thu, Jul 28, 2016 at 10:48 AM, gerald thomas <gerald17...@gmail.com >> > >> >> wrote: >> >>> >> >>> Dear Collins, >> >>> Can you please use sudo ./startup.sh >> >>> Please share your output >> >>> >> >>> >> >>> On Jul 28, 2016 08:36, "Knut Staring" <knu...@gmail.com> wrote: >> >>>> >> >>>> Hi Collins, >> >>>> >> >>>> Please use this mailing list: "dhis2-users@lists.launchpad.net" >> >>>> >> >>>> It seems as though something has happened to the user you are using >> to >> >>>> run Tomcat. Make sure this Linux user has sufficient permissions. >> >>>> >> >>>> Knut >> >>>> >> >>>> ---------- Forwarded message ---------- >> >>>> From: Collins McAdoyo <collins.ad...@gmail.com> >> >>>> Date: Thu, Jul 28, 2016 at 2:55 PM >> >>>> Subject: Error when starting tomcat >> >>>> To: Knut Staring <knu...@gmail.com> >> >>>> >> >>>> >> >>>> Hi Team, >> >>>> >> >>>> Hi Team, my dhis instance was running well but since today it has >> >>>> started giving me errors as follows. Kindly any suggestions on how to >> >>>> fix this? >> >>>> >> >>>> cxx@x:/tomcat-dhis/bin$ ./startup.sh >> >>>> Using CATALINA_BASE: /tomcat-dhis >> >>>> Using CATALINA_HOME: /usr/share/tomcat7 >> >>>> Using CATALINA_TMPDIR: /tomcat-dhis/temp >> >>>> Using JRE_HOME: /usr/lib/jvm/java-8-oracle/ >> >>>> Using CLASSPATH: >> >>>> /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat- >> >>>> juli.jar >> >>>> touch: cannot touch ‘/tomcat-dhis/logs/catalina.out’: Permission >> denied >> >>>> /usr/share/tomcat7/bin/catalina.sh: 385: >> >>>> /usr/share/tomcat7/bin/catalina.sh: cannot create /tomcat- >> >>>> dhis/logs/catalina.out: Permission denied >> >>>> -- >> >>>> This message was sent from Launchpad by >> >>>> Collins McAdoyo (https://launchpad.net/~mcadoyo) >> >>>> using the "Contact this team's admins" link on the DHIS 2 Users team >> >>>> page >> >>>> (https://launchpad.net/~dhis2-users). >> >>>> For more information see >> >>>> https://help.launchpad.net/YourAccount/ContactingPeople >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> Knut Staring >> >>>> Dept. of Informatics, University of Oslo >> >>>> Norway: +4791880522 >> >>>> Skype: knutstar >> >>>> http://dhis2.org >> >>>> >> >>>> _______________________________________________ >> >>>> Mailing list: https://launchpad.net/~dhis2-users >> >>>> Post to : dhis2-users@lists.launchpad.net >> >>>> Unsubscribe : https://launchpad.net/~dhis2-users >> >>>> More help : https://help.launchpad.net/ListHelp >> >>>> >> >>> >> >>> _______________________________________________ >> >>> Mailing list: https://launchpad.net/~dhis2-users >> >>> Post to : dhis2-users@lists.launchpad.net >> >>> Unsubscribe : https://launchpad.net/~dhis2-users >> >>> More help : https://help.launchpad.net/ListHelp >> >>> >> >> >> >> >> >> >> >> -- >> >> Jason P. Pickering >> >> email: jason.p.picker...@gmail.com >> >> tel:+46764147049 >> > >> > >> > _______________________________________________ >> > Mailing list: https://launchpad.net/~dhis2-users >> > Post to : dhis2-users@lists.launchpad.net >> > Unsubscribe : https://launchpad.net/~dhis2-users >> > More help : https://help.launchpad.net/ListHelp >> > >> > > _______________________________________________ > Mailing list: https://launchpad.net/~dhis2-users > Post to : dhis2-users@lists.launchpad.net > Unsubscribe : https://launchpad.net/~dhis2-users > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
