Hi all,
I have followed your advice and it seems ok! Tomcat is started (with apache ).
In my configuration I have apache + two tomcat (4.0.3) with load balacing (I
use mod_jk).
I have seen, with top command, all my resources taken by the two tomcat.
Is it normal?
Must I configure something?
Thanks
Laura
Alle 14:17, venerd́ 29 marzo 2002, hai scritto:
> > I have two cosiderations about your Tomcat-nodody advices:
> >
> > 1) There is no tomcat4.conf in conf directory.
> >
> > 2) Your advice is to do
> > - chown nobody:nobody /usr/local/tomcat1
> > - su -l -c /usr/local/tomcat1/bin/startup.sh
> >
> > There is a big problem with this procedure, in my opinion: the problem
> > is a security problem. We know that Apache runs as nobody, but the
> > directories are root:root. The father process forks child processes
> > which are nobody, so if someone tries to execute a cgi, this has no
> > privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1",
> > all directories are nobody, so anyone can write e do everything.
> >
> > I'd like starting tomcat as apache, with the same security policy.
>
>
> First of all, you need to know what you'll be protecting and from whom. I'd
> suggest user "tomcat" and group "tomcat". The vital directories should be
> owned by "root:tomcat". The files should be accessable to tomcat user
> (which should be in group tomcat).
> chown -R root:tomcat $CATALINA_HOME
> find $CATALINA_HOME -type f -exec chmod 640 {} \;
> find $CATALINA_HOME -type d -exec chmod 750 {} \;
> chmod 750 $CATALINA_HOME/bin/*.sh
>
> This way, only members of "tomcat" group can access those files. They
> should not be world readable, especially "./conf/", since you could be
> storing sensitive data there (database connection parameters, passwords,
> etc.). After this, you should be able to run Tomcat under user "tomcat".
> One word of caution: only root can open ports below TCP:1024. So, setting
> up a HTPP connector on port 80 will fail. 8080 and WARP should be fine.
> This idea can be developed further, with virtual hosts placed in separate
> user accounts, both for Apache and Tomcat. The question of access will
> arise, of course. Owners of virtual hosts shouldn't be in "tomcat" group. A
> directory where they would deploy their web applications should be
> accessable by Tomcat, but they should be able to upload content to it as
> well.
> Nix.
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
