Hi All, Dan Tran wrote, concerning my security worries:
David, I have tried this but base on my knowlege about unit file systemReinstalling on my 'test' server allowed me to start jrun as the user I'd installed as. Now I didn't want to do all that on the working model, but it gave me some clues about where to look.
security, i would suggest you to install both JRE and JRUN under a non
root user id.
If I make all the files in /opt/Jrun/logs owned by apache, then I can start Jrun as that user. It appears that it was only write permission to the logs that was preventing me. There are a couple of details though. For some reason using 'su' to change users doesn't work, but 'sudo' does. Odd, but not important I think. Secondly, Jrun attempts to write to 'nohup.out' in whatever your current working directory is. So I have to cd to /opt/Jrun/logs first.
So our programmer has made the upload form reject jsps, and anything executed doesn't have sufficient privileges to trash the whole server.
Ideally, I still need to have a directory which jrun won't try to execute anything from. Is there any way to do that? As a last resort we could access the uploaded files from another virtual server, which is handled by apache alone. Doing it in a config option would minimise the reprogramming involved though.
Anyone know?
--
David Spacey
[EMAIL PROTECTED]
