tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <hgo...@slib.fr>
Subject RE: Starting Tomcat with user nobody
Date Mon, 23 Apr 2001 20:53:48 GMT
>Now... The short answer...  {:-)}
>
>1) nobody is not a good user since it does not usually have shell
>   associated (check your /etc/passwd). It is better to create user
>   (e.g., tomcat) with all things which user needs.


Apache HTTP server switch to user nobody (at least under Linux)
since it's a 'user with no power'. Since Tomcat didn't listen on
port less that 1024 (8007, 8008, 8009, 8080, 8443) we could have it
running as a NOBODY user, just to be sure that a nobody could gain 
root access. 

We could have tomcat running in a 'chrooted like' area. ie, running 
in /var/tomcat which is owned by nobody/nobody.

>2) When you decided on the user  and created it (say it is user tomcat
>   with group tomcat) , become root:
>     cd $TOMCAT_HOME
>     chown -R tomcat .
>     chgrp -R tomcat .
>   Yes... Tomcat creates lots of files... I could be more specific, but
>   above is OK

bind-chroot also create a named user to works in a chroot env.

>3) Then start tomcat:
>     1) you are logged in as root:
>           su - tomcat -c "$TOMCAT_HOME/bin/startup.sh"
>     2) you are logged in as tomcat
>           cd $TOMCAT_HOME/bin
>           ./startup.sh
>
>But... Frankly, read the URL below, since it is only a tip of 
>the iceberg

I think doing that in my future RPM for both Tomcat 3.2, 3.3 and
4.0 if nobody object...

Could you Jan, provide us a .html FAQ we could add to CVS ?

>On Sat, 21 Apr 2001, Jan Labanowski wrote:
>
>> http://www.ccl.net/cca/software/UNIX/apache/
>> 
>> 
>> 
>> 
>> On Sat, 21 Apr 2001, Curtis Spencer wrote:
>> 
>> > Does anyone have a good startup script that will start 
>tomcat with the user nobody rather than root.  I don't know if 
>this is a security risk or not but I feel alittle 
>uncomfortable starting with root.  Do I have to change file 
>permissions to ensure that 'nobody' can access certain files.  
>> > 
>> > Thx,
>> > Curtis
>> > 
>> 
>> Jan K. Labanowski            |    phone: 614-292-9279,  FAX: 
>614-292-7168
>> Ohio Supercomputer Center    |    Internet: jkl@osc.edu 
>> 1224 Kinnear Rd,             |    http://www.ccl.net/chemistry.html
>> Columbus, OH 43212-1163      |    http://www.osc.edu/
>> 
>
>Jan K. Labanowski            |    phone: 614-292-9279,  FAX: 
>614-292-7168
>Ohio Supercomputer Center    |    Internet: jkl@osc.edu 
>1224 Kinnear Rd,             |    http://www.ccl.net/chemistry.html
>Columbus, OH 43212-1163      |    http://www.osc.edu/
>

Mime
View raw message