I'm curious - what are you trying to implement via tomcat? A specific servlet service or to support some jsp, or just have it their for a developer team to come in and write custom code for?
Denise Mangano wrote: > > Wow, how do you know all this stuff? :) I will certainly have to pick up a > book on System Administration.... > > As far as what I meant by "logged in as root" - when I boot my server it > prompts me for a user name and password. I enter root and the password. > Then leave the box be and do my work as the user I created, from my > workstation. So rather, instead of doing this, it is better to be entering > my created user account and password? > > Can a user belong to more than one group? For example if user denise > belongs to group tomcat and was owner of all webapps, could denise belong to > group apache as well so denise has rights to all apache files? > > Well, thanks...yet again!! Looks like I am headed to the bookstore tonight! > :) (btw, going to close the office door tomorrow morning, get a large cup > of coffee - and sit down to tackle mod_jk again tomorrow) > > On a side note, to answer Ken, I am the only one working with Apache/Tomcat > and my Linux box - or rather trying to ; ) > > Denise Mangano > Help Desk Analyst > Complus Data Innovations, Inc. > > -----Original Message----- > From: Turner, John [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 17, 2002 3:11 PM > To: 'Tomcat Users List' > Subject: [OFF-TOPIC] RE: Na�ve question about root > > Hi - > > Not sure what you mean about "logged in as root". Apache and Tomcat are > services, there is no need for anyone to be "logged in" to run them. > > Apache needs to "run as root" to bind to port 80 (root is required to bind > to port numbers < 1024, this is by design in UNIX/Linux), but forks children > processes to handle actual HTTP requests. Those children processes do not > run as root. > > Root should only be allowed under two situations: physcially sitting in > front of the system console (the keyboard and monitor physically connected > to the box), or after successfully logging in as a non-root user via SSH. > Logging in as root, even over SSH, via network is bad practice, because you > always want to know who is logging in as root. If Bob and Alice both log in > as root over a network without first logging in with their respective > usernames, and one of them does something evil or stupid, you would have no > way of knowing which one of them did it (generally speaking). However, if > they both log in as Bob and Alice, then Alice switches to root from a > command line using "su", then does something evil, the switch to root will > be in the system logs and you can track it. > > In general, it is NOT safe to leave your box "logged in as root". That's > dangerous practice, but can be expected from someone new to systems > administration. You're much better off, though, understanding what services > are, how to start them, how to stop them, and how to make sure they run > without needing a user logged in. > > Best practice is to SSH as a non-root user (for example, denise) to the box. > Then su to root by typing "su -" and hitting return. This says "switch to > root and use root's profile". You'll be prompted for root's password. Then > start Apache. As soon as you are done with Apache, type "exit" and hit > return. Now you are back to denise. To run Tomcat, most people create a > user called tomcat. Then they su to tomcat with "su - tomcat" and then type > something like "$CATALINA_HOME/bin/startup.sh". Once Tomcat starts > successfully, you type "exit" again and you are back to denise. > > At that point, as denise, is the point where you want to start editing > files, writing source, etc. Doing so as root is bad practice, as with root > you will never get a warning about something...root can do anything at > anytime anywhere on the system. It only takes half a dozen keystrokes or so > to ruin your server for good, and unless you're really good with restoring > from backup tapes, you will probably need to reinstall. > > In general, your webapp files should be owned by someone like denise, and be > in the group called "tomcat". There should be a user tomcat and a group > tomcat. By letting your application files exist with tomcat group > permissions, you can have the tomcat user execute them without having to > edit them as tomcat user. A less elegant solution is to just edit your > files as denise, then su to root, then type something like "chown -R > tomcat:tomcat $CATALINA_HOME" and hit return. That will set the owner and > group of everything from CATALINA_HOME down recursively to tomcat owner, > tomcat group. But then you would have to give root to every developer, > which is not cool. > > To answer your last question about "almost" root, there are any number of > different levels of permissions on a UNIX/Linux system, it's not as simple > as "root" or "not root". If you want people to be able to do things as root > without actually being root or having the root password, you can use a tool > called sudo (which is short for "su do"). So, denise would log in, and > let's say you wanted to change the owner and group on every file in > CATALINA_HOME. You would type "sudo chown -R tomcat:tomcat $CATALINA_HOME" > and then you would be prompted for the sudo password (not the same as root > password). If the right password was given, the command would be performed > AS IF the user was root, but only that command. After a configured amount > of time (5 minutes, immediately, whatever), the user would lose sudo > permissions and revert back to a regular user. > > Sys-admin can get pretty involved...if you are putting things in production, > you will want to be concerned with these things, if only to protect the > stability of your server and the information contained on it. I would > recommend picking up a book or two, maybe O'Reilly's "Essential System > Administration" along with O'Reilly's "UNIX in a Nutshell" or any other good > Linux systems adminstration book. > > HTH > > John > > > -----Original Message----- > > From: Denise Mangano [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 17, 2002 2:53 PM > > To: 'Tomcat Users List' > > Subject: Na�ve question about root > > > > > > > > I know this is a na�ve question, and slightly irrelevant to > > the newsgroup... > > > > I keep getting told left and right not to work as root. I heeded this > > advice a while back and created a user. Here is the thing. > > My RH 7.3 box, > > running Apache 1.3.27 & Tomcat 3.1.17 (no I haven't gotten > > them connected > > with mod_jk yet:) ) is logged in as root. But I work on my > > files through a > > secure shell from my workstation, where I log in as the user > > I created. Is > > it not safe to leave my box logged in as root? > > > > My concern is when people access my website can they somehow > > get into my box > > and wreak havoc? For example with my current setup people > > are accessing a > > website hosted on a machine that is logged in with root > > access.... Is it > > better that I sign in on the actual box as this created user > > only changing > > login to root as needed or does the logon of the actual box > > not matter as > > long as I am not messing around as root...? If I should sign > > onto the box > > as this user, how can I make sure this user has rights to > > Apache and Tomcat? > > (as of right now this user has rights to execute java > > commands, but I am not > > sure if there is anything special I need to do for apache and > > tomcat). On a > > side note is there anyway to create a user that has "almost" > > root access but > > can't do the damage root can do? > > > > Again na�ve, but thought I would throw it out here anyway :) Thanks!! > > > > Denise Mangano > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- /* * * Matt Harris - Senior UNIX Systems Engineer * Smithsonian Institution, OCIO * */ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
