Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of epicwinter@hotmail.com
 designates 65.55.111.97 as permitted sender)
Message-ID: <BLU145-W38AB57DBC9364868C8973EC3C40@phx.gbl>
Content-Type: multipart/alternative;
	boundary="_5c19f3b9-66cd-4d25-aeab-07267e3079ea_"
From: "epicwinter@hotmail.com" <epicwinter@hotmail.com>
To: <users@tomcat.apache.org>
Subject: RE: running tomcat with root user
Date: Sun, 1 Feb 2009 11:36:17 -0800
Importance: Normal
In-Reply-To: <4985739A.5080503@ice-sa.com>
References: <BLU145-W84149317175FD51CA3F21C3C40@phx.gbl>
 <4985739A.5080503@ice-sa.com>
MIME-Version: 1.0

--_5c19f3b9-66cd-4d25-aeab-07267e3079ea_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


> Date: Sun=2C 1 Feb 2009 11:04:10 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: running tomcat with root user
>=20
> epicwinter@hotmail.com wrote:
> > I have the latest tomcat 6 installed under centos 5.2.  The problem I a=
m having is that it appears that I have to run tomcat as root user=2C becau=
se the spring app that tomcat starts needs to write files to other users' h=
ome directories.  The tomcat user doesn't have access to these directories.
> >=20
> > I tried making these users part of a shared group=2C but to complicate =
the problem the users are jailed using jailkit.  So it doesn't appear that =
jailkit lets me add group write privileges to the home directories and main=
tain a working jail.
> >=20
> > Can anyone suggest another alternative?  I am not linux user expert so =
maybe there is an obvious solution i am missing?
>=20
> If you are courageous=2C you could try using ACL's.
> One pre-requisite is that the filesystem type on which the users's=20
> directories are located=2C must support ACL. The other pre-requisite is=20
> that ACLs be actually enabled on that filesystem. This has to do with=20
> the "mount" command that mounts the filesystem.
> I am no specialist myself=2C and you'll have to get some help from a Linu=
x=20
> forum for that.
> The next part is to understand the commands that deal with ACL's=2C and=20
> that is why I said that you have to be courageous. They are not for the=20
> faint-hearted.
> Try :
> man setfacl
> man getfacl
>=20
> Very briefly :
> ACL =3D Access Control List
> They are a possibility to set access permissions to files and=20
> directories=2C in a more detailed and flexible way than Unix usual=20
> "rwxrwxrwx"-style permissions.
> You can have a directory belonging to user X and group Y=2C but still=20
> allow users of group Z (e.g. Tomcat) to write to it.
>=20
> All of the above of course may or may not be compatible with the "jail"=20
> you are mentioning. I make no guarantees there.
> And otherwise=2C you'll have to run Tomcat as root and that's it.
>=20
>=20
> ---------------------------------------------------------------------
> To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands=2C e-mail: users-help@tomcat.apache.org
>=20

Thanks for the reply and suggestion =2C i am doing some heavy reading right=
 now on ACLs.  Very interesting=2C looks like a possible solution.  I am do=
ing this on a remote server with one drive so I am a little nervous about m=
aking these changes and seeing if it comes back up.  I am also concerned if=
 there would be a performance hit.  I really wish there was a simpler solut=
ion.  I wonder how insecure it really would be to run tomcat as root or if =
there was a way to make it "more" secure


_________________________________________________________________
Windows Live=99: E-mail. Chat. Share. Get more ways to connect.=20
http://windowslive.com/howitworks?ocid=3DTXT_TAGLM_WL_t2_allup_howitworks_0=
12009=

--_5c19f3b9-66cd-4d25-aeab-07267e3079ea_--