A Yang wrote:
>
> > /usr/local/tomcat doesn't necessarily have to be
> > owned by root. The only thing you need to so is make
>
> > sure that whichever user you run tomcat as has write
>
> > permissions to the logs, conf and work directories
> > (those are the only ones Tomcat writes to I think).
>
> I was a little iffy about leaving the entire conf
> directory writable by the nobody group, so I wound up
> just checking the java exceptions and permitting group
> write access to the affected files - mostly they are
> the automatically generated files like *.conf-auto.
I'm sure that will work as long as you don't miss any. :)
Generally the idea is to have a 'root jail' or sandbox. The idea is that
the server (tomcat) will be able to read and possibly write anything in
it's sandbox, but not read or write(especially not write) anything
outside of that. This will minimize a security exploit to being able to
trash the sandbox in most cases and not effect the rest of the system.
To truly implement this, native code would need to be called because
these are OS level calls, but you can get a rough approximation with
privleges.
> On a side note, I found that I was regenerating the
> Windows registry settings for redirecting IIS every
> time I started up Tomcat.
>
> > This doesn't have to be 'nobody' though. You could
> > create a tomcat or www user for example.
>
> Yes, I just figured I would use the same nobody user
> that apache was using.
>
> Would it be best practises to have apache and tomcat
> running on separate, minimal userids?
That's probably a pretty good idea. This would allow you to limit the
ability of apache to read the 'raw' files that are intended to be served
by tomcat so that people couldn't snoop at your stuff (if you care about
that).
> > And if you want it to be owned by root, that's fine,
> > just use the group permissions to set the write
> > access.
>
> Do you mean something like:
>
> 1 -r--rw-r-- 1 root nobody 1024 foo
That's fine, but giving root write access won't hurt anything (if
someone has root privs, they can change the write privs anyway).
--
-------------------------------------------
Geoff Lane <[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
