You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Saha, Rajib" <ra...@sap.com.INVALID> on 2024/02/26 06:11:12 UTC
Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Hi Experts,
In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years.
We are in progress of moving from Tomcat-8 to tomcat-9.
When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as".
When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as".
Looks like "Local service" has less power than "Local System".
Due to it, Service-A created with Tomcat-9 failing for several operation inside product.
Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"?
Please let me know, if any more details is required from my side.
Regards
Rajib
RE: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Posted by "Saha, Rajib" <ra...@sap.com.INVALID>.
Hi Chris,
I got your point.
Actually, this service for us is a core service of our product, which control several core servers on it.
But, we will Definity see the options to unblock the dependency as you said.
Regards
Rajib
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: 27 February 2024 19:51
To: users@tomcat.apache.org
Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
[You don't often get email from chris@christopherschultz.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Rajib,
On 2/26/24 23:43, Saha, Rajib wrote:
> Hi Mark,
>
> Thanks for your explanation and suggestion.
> For my use case, I have used the below option and its working fine.
> =============================
> --ServiceUser="LocalSystem"
> =============================
>
> Thank you very much for showing the way. 😊
I'm glad you got your service working.
But.
Your next task should be to determine why you need to run your service
as (essentially) local-Administrator and fix it so you don't have to.
Anyone who is able to take control of your application will have
complete control of the local machine.
This is a huge red-flag from a security standpoint.
-chris
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: 26 February 2024 14:23
> To: users@tomcat.apache.org
> Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
>
> [You don't often get email from markt@apache.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> On 26/02/2024 06:11, Saha, Rajib wrote:
>> Hi Experts,
>>
>> In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years.
>> We are in progress of moving from Tomcat-8 to tomcat-9.
>>
>> When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as".
>> When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as".
>>
>> Looks like "Local service" has less power than "Local System".
>> Due to it, Service-A created with Tomcat-9 failing for several operation inside product.
>
> That should be a security concern. Local System is broadly equivalent to
> local administrator. You generally don't want to be running Tomcat under
> Local System.
>
>> Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"?
>
> Have you looked at the documentation?
>
> https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html
>
> Look for "--ServiceUser"
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rajib,
On 2/26/24 23:43, Saha, Rajib wrote:
> Hi Mark,
>
> Thanks for your explanation and suggestion.
> For my use case, I have used the below option and its working fine.
> =============================
> --ServiceUser="LocalSystem"
> =============================
>
> Thank you very much for showing the way. 😊
I'm glad you got your service working.
But.
Your next task should be to determine why you need to run your service
as (essentially) local-Administrator and fix it so you don't have to.
Anyone who is able to take control of your application will have
complete control of the local machine.
This is a huge red-flag from a security standpoint.
-chris
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: 26 February 2024 14:23
> To: users@tomcat.apache.org
> Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
>
> [You don't often get email from markt@apache.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> On 26/02/2024 06:11, Saha, Rajib wrote:
>> Hi Experts,
>>
>> In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years.
>> We are in progress of moving from Tomcat-8 to tomcat-9.
>>
>> When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as".
>> When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as".
>>
>> Looks like "Local service" has less power than "Local System".
>> Due to it, Service-A created with Tomcat-9 failing for several operation inside product.
>
> That should be a security concern. Local System is broadly equivalent to
> local administrator. You generally don't want to be running Tomcat under
> Local System.
>
>> Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"?
>
> Have you looked at the documentation?
>
> https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html
>
> Look for "--ServiceUser"
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Posted by "Saha, Rajib" <ra...@sap.com.INVALID>.
Hi Mark,
Thanks for your explanation and suggestion.
For my use case, I have used the below option and its working fine.
=============================
--ServiceUser="LocalSystem"
=============================
Thank you very much for showing the way. 😊
Regards
Rajib
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: 26 February 2024 14:23
To: users@tomcat.apache.org
Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
[You don't often get email from markt@apache.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
On 26/02/2024 06:11, Saha, Rajib wrote:
> Hi Experts,
>
> In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years.
> We are in progress of moving from Tomcat-8 to tomcat-9.
>
> When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as".
> When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as".
>
> Looks like "Local service" has less power than "Local System".
> Due to it, Service-A created with Tomcat-9 failing for several operation inside product.
That should be a security concern. Local System is broadly equivalent to
local administrator. You generally don't want to be running Tomcat under
Local System.
> Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"?
Have you looked at the documentation?
https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html
Look for "--ServiceUser"
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Posted by Mark Thomas <ma...@apache.org>.
On 26/02/2024 06:11, Saha, Rajib wrote:
> Hi Experts,
>
> In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years.
> We are in progress of moving from Tomcat-8 to tomcat-9.
>
> When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as".
> When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as".
>
> Looks like "Local service" has less power than "Local System".
> Due to it, Service-A created with Tomcat-9 failing for several operation inside product.
That should be a security concern. Local System is broadly equivalent to
local administrator. You generally don't want to be running Tomcat under
Local System.
> Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"?
Have you looked at the documentation?
https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html
Look for "--ServiceUser"
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org