> Date: Sun, 1 Feb 2009 11:04:10 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: running tomcat with root user
>
> epicwin...@hotmail.com wrote:
> > I have the latest tomcat 6 installed under centos 5.2. The problem I am
> > having is that it appears that I have to run tomcat as root user, because
> > the spring app that tomcat starts needs to write files to other users' home
> > directories. The tomcat user doesn't have access to these directories.
> >
> > I tried making these users part of a shared group, but to complicate the
> > problem the users are jailed using jailkit. So it doesn't appear that
> > jailkit lets me add group write privileges to the home directories and
> > maintain a working jail.
> >
> > Can anyone suggest another alternative? I am not linux user expert so
> > maybe there is an obvious solution i am missing?
>
> If you are courageous, you could try using ACL's.
> One pre-requisite is that the filesystem type on which the users's
> directories are located, must support ACL. The other pre-requisite is
> that ACLs be actually enabled on that filesystem. This has to do with
> the "mount" command that mounts the filesystem.
> I am no specialist myself, and you'll have to get some help from a Linux
> forum for that.
> The next part is to understand the commands that deal with ACL's, and
> that is why I said that you have to be courageous. They are not for the
> faint-hearted.
> Try :
> man setfacl
> man getfacl
>
> Very briefly :
> ACL = Access Control List
> They are a possibility to set access permissions to files and
> directories, in a more detailed and flexible way than Unix usual
> "rwxrwxrwx"-style permissions.
> You can have a directory belonging to user X and group Y, but still
> allow users of group Z (e.g. Tomcat) to write to it.
>
> All of the above of course may or may not be compatible with the "jail"
> you are mentioning. I make no guarantees there.
> And otherwise, you'll have to run Tomcat as root and that's it.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
Thanks for the reply and suggestion , i am doing some heavy reading right now
on ACLs. Very interesting, looks like a possible solution. I am doing this on
a remote server with one drive so I am a little nervous about making these
changes and seeing if it comes back up. I am also concerned if there would be
a performance hit. I really wish there was a simpler solution. I wonder how
insecure it really would be to run tomcat as root or if there was a way to make
it "more" secure
_________________________________________________________________
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009
