tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Turner, John" <JTur...@AAS.com>
Subject RE: Unix file socket / mod_jk2
Date Fri, 13 Sep 2002 17:33:42 GMT

With a connector, since Tomcat isn't running on a port < 1024, there's no
need to run Tomcat as root.

On my servers, Tomcat runs as the same user as the webserver, though in my
case it isn't "nobody" (Apache default) but another username.

You can't make "nobody" a member of group "root" (BAD idea!) so that leaves
two choices:

- have Tomcat run as web server user
- have Tomcat run as some other user (like "tomcat") and put user "nobody"
into that user's group, assuming Apache is running as nobody/nobody.

Then you would probably see something like this:

srw-rw----    1 tomcat     tomcat            0 sep 13 13:17 jk2.socket

User "nobody" would have access to that socket if they were a member of
group "tomcat".

John


> -----Original Message-----
> From: Maxime Colas des Francs [mailto:max_sts@hotmail.com]
> Sent: Friday, September 13, 2002 1:29 PM
> To: Tomcat Users List
> Subject: Unix file socket / mod_jk2
> 
> 
> Hi
> 
> I'm on Linux (RH 7.3) with jsdk 1.4
> 
> I attempt to use Tomcat 4, Apache 2 and mod_jk2 with a unix 
> socket file for communication.
> 
> Tomcat is launched as root, and creates the socket file : 
> srw-rw----    1 root     root            0 sep 13 13:17 jk2.socket
> 
> Apache 2 is launched as nobody and can't read/write in this file 
> (works with after a chmod 777 on jk2.socket)
> 
> what is the best (secure) solution ?
> 
> launch tomcat with nobody ?
> how ?
> 
> thks.
> (vous pouvez repondre en francais/english)
> 
> workers2.properties :
> [shm]
> file=${serverRoot}/logs/shm.file
> size=1048576
> # Example unixsocket channel.
> [channel.un:unixsocket]
> file=/usr/local/tomcat/work/jk2.socket
> # define the worker
> [ajp13:unixsocket]
> channel=channel.un:unixsocket
> # Uri mapping
> [uri:/regis/*]
> worker=ajp13:unixsocket
> 
> jk2.properties :
> # list of needed handlers.
> handler.list=apr,channelUnix,request
> # Set the default port for the channelSocket
> #channelSocket.port=8009
> # Location of the socket.
> channelUnix.file=${jkHome}/work/jk2.socket
> # Dynamic library
> apr.NativeSo=${jkHome}/lib/libjkjni.so
> 
> 
> 
> 

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message