tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Configure tomcat using init.d
Date Mon, 17 Oct 2011 19:26:09 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 10/14/2011 11:15 AM, Mark H. Wood wrote:
> On Fri, Oct 14, 2011 at 07:33:28AM -0700, Hassan Schroeder wrote:
>> On Fri, Oct 14, 2011 at 1:52 AM, ettoregia <ettoregia@gmail.com> 
>> wrote:
>>> My system: Linux, the version I'don't know how to realize, 
>>> since I've got just an ssh connection and typing some command 
>>> I've not been able to discover it, maybe you can help me out
>>> on this as well.
>> 
>> `cat /proc/version` should give you something useful.
> 
> 'uname -a' is another possibility.

I'm running Debian Squeeze:

$ uname -a
Linux dev 2.6.32-5-openvz-amd64 #1 SMP Wed May 18 23:53:57 UTC 2011
i686 GNU/Linux

No mention of Debian.

$ cat /proc/version
Linux version 2.6.32-5-openvz-amd64 (Debian 2.6.32-34squeeze1)
(dannf@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Wed
May 18 23:53:57 UTC 2011

Ooh, Debian everywhere.

Looks like Hassan's suggestion is better.

I usually do:

$ cat /etc/issue
Debian GNU/Linux 6.0 \n \l

I didn't know there was a /proc/version. Maybe I'll start using that,
as it has more information.

> This I can agree with.  They don't allow application managers 
> access to Tomcat's config., but anyone can drop stuff into 
> /etc/init.d, whence it will run as root?  Really?  Something is
> not right here.

Technically, things in /etc/init.d don't run as root just because they
are there. Most rc.d-based systems use /etc/rc[runlevel].d/* as
startup scripts, and those are symlinked to /etc/init.d. Putting a
file into /etc/init.d isn't a direct exploit, but it's pretty close.

> That init script would need to start Yet Another Tomcat Instance. 
> Is that what IT wants?  That has implications for memory demand, 
> port and address space, and linking among app.s.  Maybe the IT guy 
> understands how Tomcat works, but I think I would explore the 
> possibility that he doesn't.

+1

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6cgVAACgkQ9CaO5/Lv0PDETACgorbI/rr9VyrqW8Be2FWgBthm
gIEAn0pPW7uw5nsS2Zl8y8EjwFr2A+CY
=Ehot
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message