Hi all, I have followed your advice and it seems ok! Tomcat is started (with apache ). In my configuration I have apache + two tomcat (4.0.3) with load balacing (I use mod_jk). I have seen, with top command, all my resources taken by the two tomcat. Is it normal?
Must I configure something? Thanks Laura Alle 14:17, venerd́ 29 marzo 2002, hai scritto: > > I have two cosiderations about your Tomcat-nodody advices: > > > > 1) There is no tomcat4.conf in conf directory. > > > > 2) Your advice is to do > > - chown nobody:nobody /usr/local/tomcat1 > > - su -l -c /usr/local/tomcat1/bin/startup.sh > > > > There is a big problem with this procedure, in my opinion: the problem > > is a security problem. We know that Apache runs as nobody, but the > > directories are root:root. The father process forks child processes > > which are nobody, so if someone tries to execute a cgi, this has no > > privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1", > > all directories are nobody, so anyone can write e do everything. > > > > I'd like starting tomcat as apache, with the same security policy. > > > First of all, you need to know what you'll be protecting and from whom. I'd > suggest user "tomcat" and group "tomcat". The vital directories should be > owned by "root:tomcat". The files should be accessable to tomcat user > (which should be in group tomcat). > chown -R root:tomcat $CATALINA_HOME > find $CATALINA_HOME -type f -exec chmod 640 {} \; > find $CATALINA_HOME -type d -exec chmod 750 {} \; > chmod 750 $CATALINA_HOME/bin/*.sh > > This way, only members of "tomcat" group can access those files. They > should not be world readable, especially "./conf/", since you could be > storing sensitive data there (database connection parameters, passwords, > etc.). After this, you should be able to run Tomcat under user "tomcat". > One word of caution: only root can open ports below TCP:1024. So, setting > up a HTPP connector on port 80 will fail. 8080 and WARP should be fine. > This idea can be developed further, with virtual hosts placed in separate > user accounts, both for Apache and Tomcat. The question of access will > arise, of course. Owners of virtual hosts shouldn't be in "tomcat" group. A > directory where they would deploy their web applications should be > accessable by Tomcat, but they should be able to upload content to it as > well. > Nix. -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>