tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "epicwinter@hotmail.com" <epicwin...@hotmail.com>
Subject RE: running tomcat with root user
Date Sun, 01 Feb 2009 19:36:17 GMT



> Date: Sun, 1 Feb 2009 11:04:10 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: running tomcat with root user
> 
> epicwinter@hotmail.com wrote:
> > I have the latest tomcat 6 installed under centos 5.2.  The problem I am having
is that it appears that I have to run tomcat as root user, because the spring app that tomcat
starts needs to write files to other users' home directories.  The tomcat user doesn't have
access to these directories.
> > 
> > I tried making these users part of a shared group, but to complicate the problem
the users are jailed using jailkit.  So it doesn't appear that jailkit lets me add group write
privileges to the home directories and maintain a working jail.
> > 
> > Can anyone suggest another alternative?  I am not linux user expert so maybe there
is an obvious solution i am missing?
> 
> If you are courageous, you could try using ACL's.
> One pre-requisite is that the filesystem type on which the users's 
> directories are located, must support ACL. The other pre-requisite is 
> that ACLs be actually enabled on that filesystem. This has to do with 
> the "mount" command that mounts the filesystem.
> I am no specialist myself, and you'll have to get some help from a Linux 
> forum for that.
> The next part is to understand the commands that deal with ACL's, and 
> that is why I said that you have to be courageous. They are not for the 
> faint-hearted.
> Try :
> man setfacl
> man getfacl
> 
> Very briefly :
> ACL = Access Control List
> They are a possibility to set access permissions to files and 
> directories, in a more detailed and flexible way than Unix usual 
> "rwxrwxrwx"-style permissions.
> You can have a directory belonging to user X and group Y, but still 
> allow users of group Z (e.g. Tomcat) to write to it.
> 
> All of the above of course may or may not be compatible with the "jail" 
> you are mentioning. I make no guarantees there.
> And otherwise, you'll have to run Tomcat as root and that's it.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

Thanks for the reply and suggestion , i am doing some heavy reading right now on ACLs.  Very
interesting, looks like a possible solution.  I am doing this on a remote server with one
drive so I am a little nervous about making these changes and seeing if it comes back up.
 I am also concerned if there would be a performance hit.  I really wish there was a simpler
solution.  I wonder how insecure it really would be to run tomcat as root or if there was
a way to make it "more" secure


_________________________________________________________________
Windows Liveā„¢: E-mail. Chat. Share. Get more ways to connect. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message