tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juha Laiho <>
Subject Re: virtual hosts for chrooted Tomcat
Date Mon, 03 Aug 2009 12:53:51 GMT
Ron Van den Branden wrote:
> Hi all,
> I'm preparing for deploying Tomcat based web applications on a dedicated
> server (finally!). I have experience with Tomcat webapps on my local
> Windows machine, but am making myself familiar with a real-life
> situation on a Ubuntu Linux server.
> From what I've read, chrooting Tomcat seems a sensible security measure,
> documented in detail in O'Reilly's "Tomcat: the Definitive Guide"
> (<>). Before I start
> messing around, however, I would like to clarify some concepts.
> If I
>    1. setup Tomcat for virtual hosts, serving webapps from another
> directory than %TOMCAT_HOME%/webapps, say
> /var/www/virtualhosts/[virtualhost]/
>    2. install Tomcat in its chroot jail at /home/chroot/tomcat
> ...will Tomcat be able to serve these webapps?

No, chrooting really does limit filesystem access to directories
to within a specified directory tree. Whatever you want to access
from a chrooted process must reside within that same chroot restriction.

You might be able to set up chrooting so that Tomcat is able to access
all virtual hosts, and so that each sftp/ssh update account only has
access to the specific virtualhost directory tree, but for this case
the Tomcat chroot point must be a common point above all the virtual

So, if you f.ex. have a directory structure
... then, if your Tomcat process is chrooted to /a/b/tomcat, it will
not be able to access any directory which is not below the /a/b/tomcat
directory. This is the whole and sole point of chrooting: the "root"
directory accessible to a process is changed to something else than the
real root directory of the underlying filesystem.

Instead, if you chroot tomcat to /a/b, then it will be able to access
anything wihtin /a/b, including all three abovementioned directories.
Also, when you run a process chrooted, copies of all files needed by
the process must exist within the chrooted environment (f.ex. all JDK
files needed by Tomcat).

Note though, that these (chrooting) questions have little or no relation
with Tomcat as is, but would be more properly handled in an OS-related

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message