"Nikola Milutinovic" <[EMAIL PROTECTED]> writes: hello,
> If you're running Tomcat-standalone, then you need <Host> elements, > but in Warp it should work without them. I think Warp Engine should > ignore <Host> elements. Or maybe it doesn't. Maybe it is used to > setup different "appBase"-s for each of the vhosts. yop... i use it for the appBase's. > > do i need any additional security settings to e.g. prevent users > > from deleting files owned by the tomcat uid? > You'd have this problem with Apache VHost as well. How do you make > it possible for one user (httpd) to access directories in several > other user's homes and still prevent individual users access to each > others files? I'm using ACLs on Tru64 UNIX for that. Does Linux have > ACLs? (Access Control List, just like on Windows NT or, originally, > on VMS). one possiblity would be to put all users in the same group and disallow all access rights to the group. read access for "others" would be set, so that apache which isn't in the same group as the user does have the possibility to read the files. there are several acl patches for linux too, but i haven't tried them out yet. > I make each vhost user a member of group "httpd", make his > public_html accessable to group (to let Apache in), his home dir is > set to "rwx------" + ACL "user:httpd:r-x". That way I have > security. For Tomcat, I'd make tomcat user a member of "httpd" > group, add ACL for "user:tomcat:r-x" and set $USER/webapp to have > rwxr-x--- access rights, just like public_html. hmm.. with apache i only use suexec for all cgi and php stuff. when using tomcat each user does have the possibility to execute java code under the tomcat uid. according to the docs (haven't tried it out yet) i can set a security policy in catalina.policy. is this enough to prevent users to snoop on other users via tomcat? is there something similiar to php's safemode where each user can only read files owned by his uid? cu /gst -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
