RE: Starting Tomcat with user nobodyy

[Jan Labanowski <jk...@osc.edu>]

On Mon, 23 Apr 2001, GOMEZ Henri wrote:

> >Now... The short answer...  {:-)}
> >
> >1) nobody is not a good user since it does not usually have shell
> >   associated (check your /etc/passwd). It is better to create user
> >   (e.g., tomcat) with all things which user needs.
> 
> 
> Apache HTTP server switch to user nobody (at least under Linux)
> since it's a 'user with no power'. Since Tomcat didn't listen on
> port less that 1024 (8007, 8008, 8009, 8080, 8443) we could have it
> running as a NOBODY user, just to be sure that a nobody could gain 
> root access. 

Let me elaborate... Tomcat needs a shell if you want to run programs from
within your servlets... Of course, if we are talking about running simple
JSP pages which do not access other stuff, "nobody" is as good as "anybody",
but nobody routinely does not have shell associated, and therefore is not in
my humble opinion a good good user for serious servlet programming and 
extensive applications. Java Runtime is quite cripled without shell
and regular environment. Also the nobody is not a nobody anymore in
latest RH apache distribution (it is apache). 

> 
> We could have tomcat running in a 'chrooted like' area. ie, running 
> in /var/tomcat which is owned by nobody/nobody.
> 
> >2) When you decided on the user  and created it (say it is user tomcat
> >   with group tomcat) , become root:
> >     cd $TOMCAT_HOME
> >     chown -R tomcat .
> >     chgrp -R tomcat .
> >   Yes... Tomcat creates lots of files... I could be more specific, but
> >   above is OK
> 
> bind-chroot also create a named user to works in a chroot env.

Again... If we assume that the user Web application is self contained
and does not need anything from outside, it is probably fine, though
if we do a chroot we would have to have JDK installed under Tomcat
or we could only serve precompiled JSPs. The same goes with databases,
and the like. It is just more convenient, to run tomcat within a normal
UNIX tree. Apache does not run chroot either, or it would loose acces to
/usr/lib (e.g., libssl, libcrypto) and perl, and the likes...

> 
> >3) Then start tomcat:
> >     1) you are logged in as root:
> >           su - tomcat -c "$TOMCAT_HOME/bin/startup.sh"
> >     2) you are logged in as tomcat
> >           cd $TOMCAT_HOME/bin
> >           ./startup.sh
> >
> >But... Frankly, read the URL below, since it is only a tip of 
> >the iceberg
> 
> I think doing that in my future RPM for both Tomcat 3.2, 3.3 and
> 4.0 if nobody object...

As I said... we probably can force nobody to run shell with --shell=SHELL
but the shell option, while available under LINUX is not available under
many other UNICes.

> 
> Could you Jan, provide us a .html FAQ we could add to CVS ?

I was weary to contribute to "official stuff", since I am not a tidy writer,
and just do a brain dump now and then. But if you think it would be useful,
I will try to cook up something in a few days on startup scripts at boot,
since I already committed a few grave examples on my own which you can find at
http://www.ccl.net/cca/software/UNIX/apache page. I will try to provide
a standalone Tomcat, and Tomcat/Apache combo scripts and add comments...

Jan

Jan K. Labanowski            |    phone: 614-292-9279,  FAX: 614-292-7168
Ohio Supercomputer Center    |    Internet: jkl@osc.edu 
1224 Kinnear Rd,             |    http://www.ccl.net/chemistry.html
Columbus, OH 43212-1163      |    http://www.osc.edu/