You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Neil B. Cohen" <nc...@verisign.com> on 2007/04/11 16:53:36 UTC

Security question - starting tomcat as non-root user

Hi,

I'm running Tomcat 5.5.20 with an application built under Netbeans 5.5.
The application works fine. I've found a number of things on the web
regarding the issue of running as a non-root user, but none match my
needs exactly. If someone could point me at the right documentation, or
answer directly, I'd be most grateful.

Situation - I am installing tomcat and running it on port 8080. However,
it is currently being started by the root user and I need to change
that.

If I just run the startup script as user 'foo', I get errors because it
can't read various config files in the conf directory, can't write to
the logs directory etc.

As a hack, I changed the permissions on the config files from 600 to
644, and the permissions on the logs directory to 777. I also had to
change the permission on the conf/Catalina/localhost directory to 777
and the server and manager.xml files therein to 644. After I did all
that, I could start tomcat, deploy my .war file and run it, and in fact
it all seems to work.

However, during startup I get error messages like this (from the
catalina.out file):

=========
Apr 11, 2007 10:32:33 AM org.apache.jasper.EmbeddedServletOptions <init>
SEVERE: The scratchDir you
specified: /usr/local/Apache/Tomcat/apache-tomcat-5.5
.20/work/Catalina/localhost/jsp-examples is unusable.
Apr 11, 2007 10:32:33 AM org.apache.jasper.EmbeddedServletOptions <init>
SEVERE: The scratchDir you
specified: /usr/local/Apache/Tomcat/apache-tomcat-5.5
.20/work/Catalina/localhost/balancer is unusable.
Apr 11, 2007 10:32:33 AM org.apache.jasper.EmbeddedServletOptions <init>
SEVERE: The scratchDir you
specified: /usr/local/Apache/Tomcat/apache-tomcat-5.5
.20/work/Catalina/localhost/_ is unusable.
Apr 11, 2007 10:32:33 AM org.apache.jasper.EmbeddedServletOptions <init>
SEVERE: The scratchDir you
specified: /usr/local/Apache/Tomcat/apache-tomcat-5.5
.20/work/Catalina/localhost/tomcat-docs is unusable.
Apr 11, 2007 10:32:33 AM org.apache.jasper.EmbeddedServletOptions <init>
SEVERE: The scratchDir you
specified: /usr/local/Apache/Tomcat/apache-tomcat-5.5
.20/work/Catalina/localhost/servlets-examples is unusable.
Apr 11, 2007 10:32:33 AM org.apache.jasper.EmbeddedServletOptions <init>
SEVERE: The scratchDir you
specified: /usr/local/Apache/Tomcat/apache-tomcat-5.5
.20/work/Catalina/localhost/webdav is unusable.
=============

Note that the permissions on /usr/local/Apache/Tomcat/apache-tomcat-5.5
.20/work/Catalina/localhost are 777, but the directories it is
complaining about (servlets-examples, webdav etc. don't exist...


So my questions are:

1) Is there a simple way for me to configure the system so I can run the
startup script as user 'foo' instead of 'root'?

2) If not, what is the hard way of doing it? :)  Does changing the
permissions where I did constitute a major security faux pas? I'm
guessing it might, but I'm not 100% sure...

3) Do I need to worry about these error messages? My application seems
to run in spite of them...

Thanks in advance,

nbc

NAME:   Neil B. Cohen (Verisign Inc.)
PHONE:  703-948-4471
DOMAIN: ncohen@verisign.com
*************************************************************
* Murphy's Philosophy: Smile - tomorrow will be worse...    *
*                                                           *
* O'Tooles Commentary: Murphy was an optimist!              *
*************************************************************



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security question - starting tomcat as non-root user

Posted by Jasbinder Singh Bali <js...@gmail.com>.

Did you try running tomcat with JSVC. It'll run it as a deamon with the user
privileges of  your choicde

On 4/11/07, Neil B. Cohen <nc...@verisign.com> wrote:
>
> I didn't realize it could be that simple :) Thanks very much - I will
> give that a try...
>
>
> Much obliged,
>
> nbc
>
>
> On Wed, 2007-04-11 at 07:59 -0700, Hassan Schroeder wrote:
> > On 4/11/07, Neil B. Cohen <nc...@verisign.com> wrote:
> >
> > > Situation - I am installing tomcat and running it on port 8080.
> However,
> > > it is currently being started by the root user and I need to change
> > > that.
> > >
> > > If I just run the startup script as user 'foo', I get errors because
> it
> > > can't read various config files in the conf directory, can't write to
> > > the logs directory etc.
> >
> > Because having once run as root, all directories and files /created by/
> > Tomcat are owned by root. If you reinstalled and initially started it as
> > user 'foo', everything would be owned by foo.
> >
> > So either reinstall, or change ownership of everything to 'foo'.
> >
> > HTH,
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Security question - starting tomcat as non-root user

Posted by "Neil B. Cohen" <nc...@verisign.com>.

I didn't realize it could be that simple :) Thanks very much - I will
give that a try...


Much obliged,

nbc


On Wed, 2007-04-11 at 07:59 -0700, Hassan Schroeder wrote:
> On 4/11/07, Neil B. Cohen <nc...@verisign.com> wrote:
> 
> > Situation - I am installing tomcat and running it on port 8080. However,
> > it is currently being started by the root user and I need to change
> > that.
> >
> > If I just run the startup script as user 'foo', I get errors because it
> > can't read various config files in the conf directory, can't write to
> > the logs directory etc.
> 
> Because having once run as root, all directories and files /created by/
> Tomcat are owned by root. If you reinstalled and initially started it as
> user 'foo', everything would be owned by foo.
> 
> So either reinstall, or change ownership of everything to 'foo'.
> 
> HTH,


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security question - starting tomcat as non-root user

Posted by Hassan Schroeder <ha...@gmail.com>.

On 4/11/07, Neil B. Cohen <nc...@verisign.com> wrote:

> Situation - I am installing tomcat and running it on port 8080. However,
> it is currently being started by the root user and I need to change
> that.
>
> If I just run the startup script as user 'foo', I get errors because it
> can't read various config files in the conf directory, can't write to
> the logs directory etc.

Because having once run as root, all directories and files /created by/
Tomcat are owned by root. If you reinstalled and initially started it as
user 'foo', everything would be owned by foo.

So either reinstall, or change ownership of everything to 'foo'.

HTH,
-- 
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org