I have regularly been using Tomcat for years, but some of security tips found in this book are valuable gems indeed. One such as installing Tomcat as a low- or non-privileged user like nobody. I know about the nobody user, starting Apache in this fashion however is handled for by the binary, first as root to bind to port 80, then as nobody for requests.
(I'm aware of the work going on with commons-daemon, it is covered in TC:TDG. However, I'm more focused on getting a binary install of Tomcat running as nobody.)
Specifically I'll quote the book here...
"First, switch to the user that you'd like to run Tomcat as. This will ensure that all of Tomcat's files will start out with the correct Unix file permissions. For security reasons, you sohuld probably run Tomcat as the nobody user or create a new tomcat user with similarly low privileges. We suggest settin that user's login shell to /bin/false and locking the user's password so that it can't be guessed."
Later, under notes on installing on Mac OS X, the authors offer a directory listing showing a Tomcat install under the nobody user.
Okay, so I know the su - [username] -s [shell] command. But how do I log in as a user without knowing, or the user having, a password? My best first guess is, su as root then:
% su Password: #su -m nobody -s /bin/bash
Thoughts? Okay, say the above is legit and Tomcat installed (tar -zvfx ...) as said user.
Now, how do I start Tomcat as said user? It seems defeatist, at best, to have to login as root to start Tomcat. If I set permissions say 750 (rwxr-x---, this permission is shown in the aforemention Mac OS X directory listing) when I login as a administrative user...
I'm doing development here, so maybe this is overkill, but developing closer to the production environment could be argued as a good thing.
Much thanks in advance for answers and thoughts, Tim
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
