Running Tomcat as non-root

[A Yang <ay...@yahoo.ca>]

Hello All,

Can anyone tell me how to set up directory permissions
to permit running Tomcat as a non-root user? 

According to previous posts in the mailing list, I
should be using 'su - nobody' when kicking off Tomcat,
but nobody doesn't have authorities to write to
usr/local.

What is the best practise for setting up Tomcat?
/usr/local/tomcat should be owned by Root shouldn't
it? I'm running Red Hat 6.2.

Thanks,


_______________________________________________________
Do You Yahoo!?
Get your free @yahoo.ca address at http://mail.yahoo.ca

Re: Running Tomcat as non-root

[Geoff Lane <gl...@inclusion.net>]

A Yang wrote:
> 
> > /usr/local/tomcat doesn't necessarily have to be
> > owned by root. The only thing you need to so is make
> 
> > sure that whichever user you run tomcat as has write
> 
> > permissions to the logs, conf and work directories
> > (those are the only ones Tomcat writes to I think).
> 
> I was a little iffy about leaving the entire conf
> directory writable by the nobody group, so I wound up
> just checking the java exceptions and permitting group
> write access to the affected files - mostly they are
> the automatically generated files like *.conf-auto.

I'm sure that will work as long as you don't miss any. :)
Generally the idea is to have a 'root jail' or sandbox. The idea is that
the server (tomcat) will be able to read and possibly write anything in
it's sandbox, but not read or write(especially not write) anything
outside of that. This will minimize a security exploit to being able to
trash the sandbox in most cases and not effect the rest of the system.
To truly implement this, native code would need to be called because
these are OS level calls, but you can get a rough approximation with
privleges.
 
> On a side note, I found that I was regenerating the
> Windows registry settings for redirecting IIS every
> time I started up Tomcat.
> 
> > This doesn't have to be 'nobody' though. You could
> > create a tomcat or www user for example.
> 
> Yes, I just figured I would use the same nobody user
> that apache was using.
> 
> Would it be best practises to have apache and tomcat
> running on separate, minimal userids?

That's probably a pretty good idea. This would allow you to limit the
ability of apache to read the 'raw' files that are intended to be served
by tomcat so that people couldn't snoop at your stuff (if you care about
that).

> > And if you want it to be owned by root, that's fine,
> > just use the group permissions to set the write
> > access.
> 
> Do you mean something like:
> 
>  1 -r--rw-r--     1 root     nobody    1024  foo

That's fine, but giving root write access won't hurt anything (if
someone has root privs, they can change the write privs anyway).

-- 
-------------------------------------------
Geoff Lane              <gl...@inclusion.net>

Re: Running Tomcat as non-root

[A Yang <ay...@yahoo.ca>]

> /usr/local/tomcat doesn't necessarily have to be
> owned by root. The only thing you need to so is make

> sure that whichever user you run tomcat as has write

> permissions to the logs, conf and work directories
> (those are the only ones Tomcat writes to I think).

I was a little iffy about leaving the entire conf
directory writable by the nobody group, so I wound up
just checking the java exceptions and permitting group
write access to the affected files - mostly they are
the automatically generated files like *.conf-auto.

On a side note, I found that I was regenerating the
Windows registry settings for redirecting IIS every
time I started up Tomcat.

> This doesn't have to be 'nobody' though. You could 
> create a tomcat or www user for example.

Yes, I just figured I would use the same nobody user
that apache was using.

Would it be best practises to have apache and tomcat
running on separate, minimal userids?

> And if you want it to be owned by root, that's fine,
> just use the group permissions to set the write 
> access.

Do you mean something like:

 1 -r--rw-r--     1 root     nobody    1024  foo

Thanks,



_______________________________________________________
Do You Yahoo!?
Get your free @yahoo.ca address at http://mail.yahoo.ca

Re: Running Tomcat as non-root

[Geoff Lane <gl...@inclusion.net>]

/usr/local/tomcat doesn't necessarily have to be owned by root.
The only thing you need to so is make sure that whichever user you run
tomcat as has write permissions to the logs, conf and work directories
(those are the only ones Tomcat writes to I think). This doesn't have to
be 'nobody' though. You could create a tomcat or www user for example.
And if you want it to be owned by root, that's fine, just use the group
permissions to set the write access.

A Yang wrote:
> 
> Hello All,
> 
> Can anyone tell me how to set up directory permissions
> to permit running Tomcat as a non-root user?
> 
> According to previous posts in the mailing list, I
> should be using 'su - nobody' when kicking off Tomcat,
> but nobody doesn't have authorities to write to
> usr/local.
> 
> What is the best practise for setting up Tomcat?
> /usr/local/tomcat should be owned by Root shouldn't
> it? I'm running Red Hat 6.2.
> 
> Thanks,
> 
> _______________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.ca address at http://mail.yahoo.ca
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org

-- 
-------------------------------------------
Geoff Lane              <gl...@inclusion.net>

Re: Running Tomcat as non-root

[Kief Morris <ki...@bitbull.com>]

Jim Crossley typed the following on 12:19 PM 2/6/2001 -0500
>I'm still confused about the -f option, though.  You're not creating
>your server.xml in the shared installation directory, are you?  I
>thought tomcat always used $TOMCAT_HOME/conf/server.xml *unless* you
>specified another location with the -f option.  Please clarify.

Oops, you're right, I am using -f  to point to the conf file.

Kief

Re: Running Tomcat as non-root

[Jim Crossley <jc...@ifleet.com>]

Thanks, Kief.  I'm still kind of an Ant newbie, but I think I see what
you're doing, and it's pretty cool.  :-)

I'm still confused about the -f option, though.  You're not creating
your server.xml in the shared installation directory, are you?  I
thought tomcat always used $TOMCAT_HOME/conf/server.xml *unless* you
specified another location with the -f option.  Please clarify.

With regard to the log files, the default server.xml has those Logger
elements outside the ContextManager element.  The docs made me think I
could move them inside the ContextManager element, making the log file
paths relative to its  "home" attribute.  I suppose I can live with
absolute paths for now, though.

Kief Morris wrote:
> 
> Jim Crossley typed the following on 09:23 AM 2/6/2001 -0500
> >Along those same lines, what's the recommended approach for sharing one
> >installation of tomcat with multiple users?
> 
> >Should they each create their own server.xml and set the "home"
> >attribute of the ContextManager to a location beneath their home
> >directory, specifying the -f option to bin/startup.sh?
> 
> I do this, except for the -f option. I actually use Ant to create my server.xml files,
> here is my template:
> 
> <ContextManager
>         debug="0"
>         workDir="@jsp-dir@"
>         showDebugInfo="true"
>         home="@site-home@">
> 
> Replace @site-home@ with the subdirectory in your user's home area.
> Replace @jsp-dir@ with @site-home@/work.
> 
> >What should the directory structure of that location be?  Any more than
> >"conf", "webapps", "logs"?
> 
> You a place for the server to write log files and such, the workDir
> in the above snippet. $SITE_HOME/work is good.
> 
> >Should each user's TOMCAT_HOME refer to the shared installation
> >directory or their private workspace?
> 
> The shared installation. This tells Tomcat where to find everything except
> those things you specifically override, which leads to the next issue ...
> 
> >I tried answering "yes" to most of the above, and never could get the
> >log files to show up.
> 
> Tomcat was probably trying to write them in $TOMCAT_HOME/logs.
> You must specifically override this default in the Logger elements of
> server.xml:
> 
>     <Logger name="tc_log"
>                 verbosityLevel = "DEBUG"
>                 path="@log-dir@/tc.log"
>     />
> 
>     <Logger name="servlet_log"
>                 verbosityLevel = "DEBUG"
>                 path="@log-dir@/servlet.log"
>     />
> 
>     <Logger name="JASPER_LOG"
>                 verbosityLevel = "DEBUG"
>                 path="@log-dir@/jasper.log"
> 
> You'll need to replace @log-dir@ with the full path to the subdirectory in
> the user's home area.
> 
> >And I was surprised that the necessary
> >directories (conf, logs, etc) weren't automatically created in the
> >ContextManager's home.
> 
> No, you'll have to create the directories yourself during the installation. When
> Tomcat runs it assumes everything is already configured properly. You'll probably
> need to make a few shell scripts or Ant build files to automate creation
> of Tomcat sites for your users.
> 
> Kief
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org

Re: Running Tomcat as non-root

[Kief Morris <ki...@bitbull.com>]

Jim Crossley typed the following on 09:23 AM 2/6/2001 -0500
>Along those same lines, what's the recommended approach for sharing one
>installation of tomcat with multiple users?  

>Should they each create their own server.xml and set the "home"
>attribute of the ContextManager to a location beneath their home
>directory, specifying the -f option to bin/startup.sh?  

I do this, except for the -f option. I actually use Ant to create my server.xml files, 
here is my template:

<ContextManager 
	debug="0" 
	workDir="@jsp-dir@" 
	showDebugInfo="true"  
	home="@site-home@">

Replace @site-home@ with the subdirectory in your user's home area.
Replace @jsp-dir@ with @site-home@/work.

>What should the directory structure of that location be?  Any more than
>"conf", "webapps", "logs"?

You a place for the server to write log files and such, the workDir
in the above snippet. $SITE_HOME/work is good.

>Should each user's TOMCAT_HOME refer to the shared installation
>directory or their private workspace?

The shared installation. This tells Tomcat where to find everything except
those things you specifically override, which leads to the next issue ...

>I tried answering "yes" to most of the above, and never could get the
>log files to show up.  

Tomcat was probably trying to write them in $TOMCAT_HOME/logs.
You must specifically override this default in the Logger elements of 
server.xml:

    <Logger name="tc_log"
                verbosityLevel = "DEBUG"
                path="@log-dir@/tc.log"
    />

    <Logger name="servlet_log"
                verbosityLevel = "DEBUG"
                path="@log-dir@/servlet.log"
    />

    <Logger name="JASPER_LOG"
                verbosityLevel = "DEBUG"
                path="@log-dir@/jasper.log"

You'll need to replace @log-dir@ with the full path to the subdirectory in 
the user's home area.

>And I was surprised that the necessary
>directories (conf, logs, etc) weren't automatically created in the
>ContextManager's home.

No, you'll have to create the directories yourself during the installation. When 
Tomcat runs it assumes everything is already configured properly. You'll probably
need to make a few shell scripts or Ant build files to automate creation
of Tomcat sites for your users.

Kief

Re: Running Tomcat as non-root

[Jim Crossley <jc...@ifleet.com>]

Along those same lines, what's the recommended approach for sharing one
installation of tomcat with multiple users?  
Should they each create their own server.xml and set the "home"
attribute of the ContextManager to a location beneath their home
directory, specifying the -f option to bin/startup.sh?  

What should the directory structure of that location be?  Any more than
"conf", "webapps", "logs"?

Should each user's TOMCAT_HOME refer to the shared installation
directory or their private workspace?

I tried answering "yes" to most of the above, and never could get the
log files to show up.  And I was surprised that the necessary
directories (conf, logs, etc) weren't automatically created in the
ContextManager's home.  I came to the unfortunate conclusion that tomcat
works best when each user installs tomcat in his home directory.  :-(

Anyone had better luck than me?

A Yang wrote:
> 
> Hello All,
> 
> Can anyone tell me how to set up directory permissions
> to permit running Tomcat as a non-root user?
> 
> According to previous posts in the mailing list, I
> should be using 'su - nobody' when kicking off Tomcat,
> but nobody doesn't have authorities to write to
> usr/local.
> 
> What is the best practise for setting up Tomcat?
> /usr/local/tomcat should be owned by Root shouldn't
> it? I'm running Red Hat 6.2.
> 
> Thanks,
> 
> _______________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.ca address at http://mail.yahoo.ca
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org