RE: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Hi Chris, I got your point. Actually, this service for us is a core service of our product, which control several core servers on it. But, we will Definity see the options to unblock the dependency as you said. Regards Rajib -Original Message- From: Christopher Schultz Sent: 27 February 2024 19:51 To: users@tomcat.apache.org Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9 [You don't often get email from ch...@christopherschultz.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Rajib, On 2/26/24 23:43, Saha, Rajib wrote: > Hi Mark, > > Thanks for your explanation and suggestion. > For my use case, I have used the below option and its working fine. > = > --ServiceUser="LocalSystem" > = > > Thank you very much for showing the way. I'm glad you got your service working. But. Your next task should be to determine why you need to run your service as (essentially) local-Administrator and fix it so you don't have to. Anyone who is able to take control of your application will have complete control of the local machine. This is a huge red-flag from a security standpoint. -chris > -Original Message- > From: Mark Thomas > Sent: 26 February 2024 14:23 > To: users@tomcat.apache.org > Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9 > > [You don't often get email from ma...@apache.org. Learn why this is important > at https://aka.ms/LearnAboutSenderIdentification ] > > On 26/02/2024 06:11, Saha, Rajib wrote: >> Hi Experts, >> >> In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for >> creating a service[Say, Service-A]. It's a huge product running in market >> for last 20 years. >> We are in progress of moving from Tomcat-8 to tomcat-9. >> >> When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In >> "Services" desktop app, we can see the service is created with "Local >> System" in "Log On as". >> When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in >> "Services" desktop app, we can see the service is created with "Local >> service" in "Log On as". >> >> Looks like "Local service" has less power than "Local System". >> Due to it, Service-A created with Tomcat-9 failing for several operation >> inside product. > > That should be a security concern. Local System is broadly equivalent to > local administrator. You generally don't want to be running Tomcat under > Local System. > >> Can somebody suggest, how we can create a service with tomcat-9, with the >> privilege of "Local System"? > > Have you looked at the documentation? > > https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html > > Look for "--ServiceUser" > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Rajib, On 2/26/24 23:43, Saha, Rajib wrote: Hi Mark, Thanks for your explanation and suggestion. For my use case, I have used the below option and its working fine. = --ServiceUser="LocalSystem" = Thank you very much for showing the way. I'm glad you got your service working. But. Your next task should be to determine why you need to run your service as (essentially) local-Administrator and fix it so you don't have to. Anyone who is able to take control of your application will have complete control of the local machine. This is a huge red-flag from a security standpoint. -chris -Original Message- From: Mark Thomas Sent: 26 February 2024 14:23 To: users@tomcat.apache.org Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9 [You don't often get email from ma...@apache.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 26/02/2024 06:11, Saha, Rajib wrote: Hi Experts, In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years. We are in progress of moving from Tomcat-8 to tomcat-9. When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as". When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as". Looks like "Local service" has less power than "Local System". Due to it, Service-A created with Tomcat-9 failing for several operation inside product. That should be a security concern. Local System is broadly equivalent to local administrator. You generally don't want to be running Tomcat under Local System. Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"? Have you looked at the documentation? https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html Look for "--ServiceUser" Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Hi Mark, Thanks for your explanation and suggestion. For my use case, I have used the below option and its working fine. = --ServiceUser="LocalSystem" = Thank you very much for showing the way. Regards Rajib -Original Message- From: Mark Thomas Sent: 26 February 2024 14:23 To: users@tomcat.apache.org Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9 [You don't often get email from ma...@apache.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 26/02/2024 06:11, Saha, Rajib wrote: > Hi Experts, > > In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for > creating a service[Say, Service-A]. It's a huge product running in market for > last 20 years. > We are in progress of moving from Tomcat-8 to tomcat-9. > > When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" > desktop app, we can see the service is created with "Local System" in "Log On > as". > When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" > desktop app, we can see the service is created with "Local service" in "Log > On as". > > Looks like "Local service" has less power than "Local System". > Due to it, Service-A created with Tomcat-9 failing for several operation > inside product. That should be a security concern. Local System is broadly equivalent to local administrator. You generally don't want to be running Tomcat under Local System. > Can somebody suggest, how we can create a service with tomcat-9, with the > privilege of "Local System"? Have you looked at the documentation? https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html Look for "--ServiceUser" Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
On 26/02/2024 06:11, Saha, Rajib wrote: Hi Experts, In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years. We are in progress of moving from Tomcat-8 to tomcat-9. When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as". When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as". Looks like "Local service" has less power than "Local System". Due to it, Service-A created with Tomcat-9 failing for several operation inside product. That should be a security concern. Local System is broadly equivalent to local administrator. You generally don't want to be running Tomcat under Local System. Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"? Have you looked at the documentation? https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html Look for "--ServiceUser" Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org