Wow, how do you know all this stuff? :) I will certainly have to pick up a book on System Administration....
As far as what I meant by "logged in as root" - when I boot my server it prompts me for a user name and password. I enter root and the password. Then leave the box be and do my work as the user I created, from my workstation. So rather, instead of doing this, it is better to be entering my created user account and password? Can a user belong to more than one group? For example if user denise belongs to group tomcat and was owner of all webapps, could denise belong to group apache as well so denise has rights to all apache files? Well, thanks...yet again!! Looks like I am headed to the bookstore tonight! :) (btw, going to close the office door tomorrow morning, get a large cup of coffee - and sit down to tackle mod_jk again tomorrow) On a side note, to answer Ken, I am the only one working with Apache/Tomcat and my Linux box - or rather trying to ; ) Denise Mangano Help Desk Analyst Complus Data Innovations, Inc. -----Original Message----- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 3:11 PM To: 'Tomcat Users List' Subject: [OFF-TOPIC] RE: Na�ve question about root Hi - Not sure what you mean about "logged in as root". Apache and Tomcat are services, there is no need for anyone to be "logged in" to run them. Apache needs to "run as root" to bind to port 80 (root is required to bind to port numbers < 1024, this is by design in UNIX/Linux), but forks children processes to handle actual HTTP requests. Those children processes do not run as root. Root should only be allowed under two situations: physcially sitting in front of the system console (the keyboard and monitor physically connected to the box), or after successfully logging in as a non-root user via SSH. Logging in as root, even over SSH, via network is bad practice, because you always want to know who is logging in as root. If Bob and Alice both log in as root over a network without first logging in with their respective usernames, and one of them does something evil or stupid, you would have no way of knowing which one of them did it (generally speaking). However, if they both log in as Bob and Alice, then Alice switches to root from a command line using "su", then does something evil, the switch to root will be in the system logs and you can track it. In general, it is NOT safe to leave your box "logged in as root". That's dangerous practice, but can be expected from someone new to systems administration. You're much better off, though, understanding what services are, how to start them, how to stop them, and how to make sure they run without needing a user logged in. Best practice is to SSH as a non-root user (for example, denise) to the box. Then su to root by typing "su -" and hitting return. This says "switch to root and use root's profile". You'll be prompted for root's password. Then start Apache. As soon as you are done with Apache, type "exit" and hit return. Now you are back to denise. To run Tomcat, most people create a user called tomcat. Then they su to tomcat with "su - tomcat" and then type something like "$CATALINA_HOME/bin/startup.sh". Once Tomcat starts successfully, you type "exit" again and you are back to denise. At that point, as denise, is the point where you want to start editing files, writing source, etc. Doing so as root is bad practice, as with root you will never get a warning about something...root can do anything at anytime anywhere on the system. It only takes half a dozen keystrokes or so to ruin your server for good, and unless you're really good with restoring from backup tapes, you will probably need to reinstall. In general, your webapp files should be owned by someone like denise, and be in the group called "tomcat". There should be a user tomcat and a group tomcat. By letting your application files exist with tomcat group permissions, you can have the tomcat user execute them without having to edit them as tomcat user. A less elegant solution is to just edit your files as denise, then su to root, then type something like "chown -R tomcat:tomcat $CATALINA_HOME" and hit return. That will set the owner and group of everything from CATALINA_HOME down recursively to tomcat owner, tomcat group. But then you would have to give root to every developer, which is not cool. To answer your last question about "almost" root, there are any number of different levels of permissions on a UNIX/Linux system, it's not as simple as "root" or "not root". If you want people to be able to do things as root without actually being root or having the root password, you can use a tool called sudo (which is short for "su do"). So, denise would log in, and let's say you wanted to change the owner and group on every file in CATALINA_HOME. You would type "sudo chown -R tomcat:tomcat $CATALINA_HOME" and then you would be prompted for the sudo password (not the same as root password). If the right password was given, the command would be performed AS IF the user was root, but only that command. After a configured amount of time (5 minutes, immediately, whatever), the user would lose sudo permissions and revert back to a regular user. Sys-admin can get pretty involved...if you are putting things in production, you will want to be concerned with these things, if only to protect the stability of your server and the information contained on it. I would recommend picking up a book or two, maybe O'Reilly's "Essential System Administration" along with O'Reilly's "UNIX in a Nutshell" or any other good Linux systems adminstration book. HTH John > -----Original Message----- > From: Denise Mangano [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 17, 2002 2:53 PM > To: 'Tomcat Users List' > Subject: Na�ve question about root > > > > I know this is a na�ve question, and slightly irrelevant to > the newsgroup... > > I keep getting told left and right not to work as root. I heeded this > advice a while back and created a user. Here is the thing. > My RH 7.3 box, > running Apache 1.3.27 & Tomcat 3.1.17 (no I haven't gotten > them connected > with mod_jk yet:) ) is logged in as root. But I work on my > files through a > secure shell from my workstation, where I log in as the user > I created. Is > it not safe to leave my box logged in as root? > > My concern is when people access my website can they somehow > get into my box > and wreak havoc? For example with my current setup people > are accessing a > website hosted on a machine that is logged in with root > access.... Is it > better that I sign in on the actual box as this created user > only changing > login to root as needed or does the logon of the actual box > not matter as > long as I am not messing around as root...? If I should sign > onto the box > as this user, how can I make sure this user has rights to > Apache and Tomcat? > (as of right now this user has rights to execute java > commands, but I am not > sure if there is anything special I need to do for apache and > tomcat). On a > side note is there anyway to create a user that has "almost" > root access but > can't do the damage root can do? > > Again na�ve, but thought I would throw it out here anyway :) Thanks!! > > Denise Mangano > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
