Yeah Selinux is a big pain from what I've read about it and I've given up on the machine on which it runs. As you may have guessed, I'm not in charge of the tech department of a secret government spy agency ;-) so I'll leave SELinux to the spooks who invented it.
I've found another box on which I can install a fresh linux dist. Pondering whether to use Slackware, Gentoo or Cent.... By Jakarta-Whatever, I'm referring to the commons-daemon package, as indicated on the setup page: <quote> Download a commons-daemon binary from the Jakarta Commons download page, and place jsvc.tar.gz and commons-daemon.jar in the $CATALINA_HOME/bin folder. </quote> Why can't they even link to this project? I just wish the docs were more detailed about why this kludgy trampoline is needed, there aren't any links to the Jsvc project either! No I'm not a big fan of C, C programming should be left to the hobbits who develop the OS and who know all the magical incantations needed to use it safely. thanks On Wed, Apr 15, 2009 at 1:12 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jonathan, > > On 4/14/2009 9:00 PM, Jonathan Mast wrote: > > I've pretty much concluded that the problem is that the machine in > question > > is SELinux-enabled and that is cause of Tomcat's inability to access the > > 8080 port (even though I can see tomcat on the process list, a "netstat > -a" > > indicates shows no entry for 8080). > > Ooooh... SELinux can be tough to deal with if you don't know what you're > doing. It's /super/ restrictive, and rightly so. I would have expected > an error message like "cannot bind to port 8080" in your catalina.out > file if you really couldn't bind to port 8080, though. > > > 1) Why not run Tomcat as root? > > Security, security, security. There really is no need to run Tomcat as > root, so why would you? If you have a misbehaving (or rogue) web > application, it can really cause chaos if it's running as root. If you > run it as a lowly common user, it can't do nearly so much damage. The > same argument applies for not running MSIE on Windows as Administrator: > if you get malware (and you /will/), you can't affect the machine's > configuration, etc. unless you are an admin. > > > We have Tomcat running as root on our > > current setup (Httpd 1.3.33, Tomcat 5.5, JDK 1.4), I presume Tomcat 6 > (JDK > > 1.6) running by itself must be more secure than our current situation. > Any > > comments? > > Yes, Tomcat alone should be more secure but there really is no reason to > run Tomcat as root unless you are just really, really lazy. It's not > that hard to run jsvc or set up iptables appropriately. > > > 2) My problem with jsvc is multiple: > > a) it involves a language so evil it can only be referred to in > paraphrase: > > the letter between B and D. Have you actually read the instructions for > it? > > I must admit that I didn't download it and read the instructions, but > the wep site says it pretty plain and simple: > > $ ./configure --with-java=/path/to/java > $ make > > Oh! The horror! > > Have you ever built anything using C before? This is how much packages > work, and they work really well using the 'configure' business. > > Okay, I broke down and downloaded it. Here are the instructions for > building from the README file at the top-level of the tarball: > > " > cd src/native/unix; configure; make > " > > The only problem with that is they forgot to include the "./" in front > of 'configure' for those who don't have '.' in the search path (which is > actually most people). > > It took somewhere in the neighborhood of 3 seconds to complete both the > 'configure' and 'make' steps for me. > > > b) can't they even bother to link to the Jakarta-Whatever package that I > > must now download and lug around? I mean c'mon ;-[ > > What is Jakarta-Whatever? I don't see any dependencies of any kind, here. > > > c) really, if all this stuff is the "correct" way to run Tomcat on linux, > > why doesn't come as part of the distribution? > > Because jsvc is someone else's project. I suppose Tomcat could bundle it > into the distro, but they haven't chosen to do so. There are also lots > of people who don't use it. For instance, I run Tomcat on non-privileged > ports and use httpd to front it. So, bundling it would not help people > like me at all (but certainly wouldn't hurt us). > > The biggest problem with this kind of bundling is the fact that *NIX > systems are so varied in configuration that jsvc really must be built on > each individual system (hence the super-simple 'configure/make' > procedure above). > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAknmFXEACgkQ9CaO5/Lv0PDLKACeNOWfXcT6TbJp9dw5ThuG0qRS > CwUAoK7/K6wv7FrmlpqGaMjYqIzlfHaG > =mHxZ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
