tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <Peter.Crowt...@melandra.com>
Subject RE: running tomcat with root user
Date Sun, 01 Feb 2009 12:59:33 GMT
> From: epicwinter@hotmail.com [mailto:epicwinter@hotmail.com]
> I have the latest tomcat 6 installed under centos 5.2.  The
> problem I am having is that it appears that I have to run
> tomcat as root user, because the spring app that tomcat
> starts needs to write files to other users' home directories.
>  The tomcat user doesn't have access to these directories.
>
> I tried making these users part of a shared group, but to
> complicate the problem the users are jailed using jailkit.
> So it doesn't appear that jailkit lets me add group write
> privileges to the home directories and maintain a working jail.
>
> Can anyone suggest another alternative?  I am not linux user
> expert so maybe there is an obvious solution i am missing?

Beyond Andre's solution of ACLs, there's another one that's more complex but might be more
secure.  It requires a slight shift in architecture.

1) Run Tomcat as the tomcat user.  Change the way it writes files, so that instead of writing
to the user directory it writes the details to a queue that you have control over.  That could
be a database, or a chunk of filestore.

2) Write a second daemon that runs as root, that reads the queue, does whatever checks you
require so that it believes the queued requests are genuine, then writes the queued items
to the users' directories.

This reduces the attack surface of the system, in that tomcat's not running as root.  You'd
have to be careful with the security of the daemon and the queue but, if well-designed, the
overall security may be better than running Tomcat as root.

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message