"Pier P. Fumagalli" wrote:
>
> FYI... The next one I see on any mailing list suggesting to start tomcat
> (any version) from the RC files without changing user id will understand
> what it means to be flamed... :-/
Yep, that's definitely a bad thing.
[snip]
> I'm attaching a little C script that degradates the process to a specified
> user before execuing it. To compile do "gcc -O2 safexec.c -o safexec" and to
> run, (for example catalina) do:
>
> safexec username $CATALINA_HOME/bin/catalina.sh start
>
> It's written for Solaris, but it should work also on Linux (maybe some
> compilation warning of some kind)... DO NOT INSTALL IT W/ SUID PRIVILEGES,
> otherwise anyone will be able to break into your machine _easily_... 'K?
My startup script (Linux) simply does this:
daemon --user nobody $CATALINA_HOME/bin/catalina.sh start
That's one way you can execute commands from a script with the proper
user privileges. Another way I've seen is:
su -l nobody -c '$CATALINA_HOME/bin/catalina.sh start'
That works too, but you usually have to mess around with redirects (by
adding, say, "< /dev/null > /dev/null 2>& 1" to the end of that su
command).
> Let's try to be a LITTLE BIT security conscious here...
>
> Pier (in these days turned into a security freak!)
=)
I usually prefer putting "Paranoid" in front of my "Security Freak"
title, but that works too ;-)
