Re: tomcat - nobody
How can I start tomcat as nobody/nobody? Does it exist a script? What must I modify? I assume you are talking linux? For my setup, I created an extra tomcat user (account /home/tomcat) and installed tomcat there. In the bootup script /etc/init.d/boot.local you can put a line like - su -l -c where/is/tomcat start tomcat - or similar, and analog things in the halt script. You must make sure that all logging directories etc. are writable to this user. So it would be best to put them somewhere under /home/tomcat too. You can alternatively make the directory /var/log/tomcat and then a - chown -R tomcat: /var/log/tomcat -. Greetings, Carsten -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: tomcat - nobody
[EMAIL PROTECTED] a écrit : Hi all, I have tomcat 4.0.3 installed with apache 1.3.23. All is ok but I have a question. I start apache as nobody/nobody and I'd like starting tomcat as nobody/nobody while now I'm starting tomcat as root/root. How can I start tomcat as nobody/nobody? Does it exist a script? What must I modify? Plese help me Thanks for your advices Laura if U're on a linux machine, search for a file named tomcat4.conf (on redhat, located in /etc/tomcat4/conf) U'll find a line for definition of TOMCAT_USER. I don't know if U can define the group elsewhere ... hopes this helps. -- Julien OIX Service Informatique de Gestion Tél: 02 40 99 83 65 mail: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: tomcat - nobody
Hi all, let's see if I have understood. If I use linux I must do: 1) chown nodody:nobody /usr/local/tomcat 2) Under conf dir i find tomcat4.conf and I have to modify this. 3) Restart tomcat - apache Nothing else? Am I right? I have another question: I use linux on stage but ina production enviroment I use solaris. What can I do under solaris (8)? Thanks for your help Laura [EMAIL PROTECTED] a écrit : Hi all, I have tomcat 4.0.3 installed with apache 1.3.23. All is ok but I ha ve a question. I start apache as nobody/nobody and I'd like starting tomcat as nobody/nobody while now I'm starting tomcat as root/root. How can I start tomcat as nobody/nobody? Does it exist a script? What must I modify? Plese help me Thanks for your advices Laura if U're on a linux machine, search for a file named tomcat4.conf (on redhat, located in /etc/tomcat4/conf) U'll find a line for definition of TOMCAT_USER. I don't know if U can define the group elsewhere ... hopes this helps. -- Julien OIX Service Informatique de Gestion Tél: 02 40 99 83 65 mail: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Tomcat Nobody
I have two cosiderations about your Tomcat-nodody advices:
1) There is no tomcat4.conf in conf directory.
2) Your advice is to do
- chown nobody:nobody /usr/local/tomcat1
- su -l -c /usr/local/tomcat1/bin/startup.sh
There is a big problem with this procedure, in my opinion: the problem
is a security problem. We know that Apache runs as nobody, but the
directories are root:root. The father process forks child processes
which are nobody, so if someone tries to execute a cgi, this has no
privilegy. But if you execute chown nobody:nobody /usr/local/tomcat1,
all directories are nobody, so anyone can write e do everything.
I'd like starting tomcat as apache, with the same security policy.
First of all, you need to know what you'll be protecting and from whom. I'd suggest
user tomcat and group tomcat. The vital directories should be owned by
root:tomcat. The files should be accessable to tomcat user (which should be in group
tomcat).
chown -R root:tomcat $CATALINA_HOME
find $CATALINA_HOME -type f -exec chmod 640 {} \;
find $CATALINA_HOME -type d -exec chmod 750 {} \;
chmod 750 $CATALINA_HOME/bin/*.sh
This way, only members of tomcat group can access those files. They should not be
world readable, especially ./conf/, since you could be storing sensitive data there
(database connection parameters, passwords, etc.). After this, you should be able to
run Tomcat under user tomcat.
One word of caution: only root can open ports below TCP:1024. So, setting up a HTPP
connector on port 80 will fail. 8080 and WARP should be fine.
This idea can be developed further, with virtual hosts placed in separate user
accounts, both for Apache and Tomcat. The question of access will arise, of course.
Owners of virtual hosts shouldn't be in tomcat group. A directory where they would
deploy their web applications should be accessable by Tomcat, but they should be able
to upload content to it as well.
Nix.
Re: Tomcat Nobody
Hi all,
I have followed your advice and it seems ok! Tomcat is started (with apache ).
In my configuration I have apache + two tomcat (4.0.3) with load balacing (I
use mod_jk).
I have seen, with top command, all my resources taken by the two tomcat.
Is it normal?
Must I configure something?
Thanks
Laura
Alle 14:17, venerdì 29 marzo 2002, hai scritto:
I have two cosiderations about your Tomcat-nodody advices:
1) There is no tomcat4.conf in conf directory.
2) Your advice is to do
- chown nobody:nobody /usr/local/tomcat1
- su -l -c /usr/local/tomcat1/bin/startup.sh
There is a big problem with this procedure, in my opinion: the problem
is a security problem. We know that Apache runs as nobody, but the
directories are root:root. The father process forks child processes
which are nobody, so if someone tries to execute a cgi, this has no
privilegy. But if you execute chown nobody:nobody /usr/local/tomcat1,
all directories are nobody, so anyone can write e do everything.
I'd like starting tomcat as apache, with the same security policy.
First of all, you need to know what you'll be protecting and from whom. I'd
suggest user tomcat and group tomcat. The vital directories should be
owned by root:tomcat. The files should be accessable to tomcat user
(which should be in group tomcat).
chown -R root:tomcat $CATALINA_HOME
find $CATALINA_HOME -type f -exec chmod 640 {} \;
find $CATALINA_HOME -type d -exec chmod 750 {} \;
chmod 750 $CATALINA_HOME/bin/*.sh
This way, only members of tomcat group can access those files. They
should not be world readable, especially ./conf/, since you could be
storing sensitive data there (database connection parameters, passwords,
etc.). After this, you should be able to run Tomcat under user tomcat.
One word of caution: only root can open ports below TCP:1024. So, setting
up a HTPP connector on port 80 will fail. 8080 and WARP should be fine.
This idea can be developed further, with virtual hosts placed in separate
user accounts, both for Apache and Tomcat. The question of access will
arise, of course. Owners of virtual hosts shouldn't be in tomcat group. A
directory where they would deploy their web applications should be
accessable by Tomcat, but they should be able to upload content to it as
well.
Nix.
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
