How to change a running Tomcat with root user to other user.

[Lorenzo Jiménez <lj...@nacion.co.cr>]

Hi,

Today we saw that our Tomcat 5.0.28 had been installed and it is running with the root user.

Because is a security hazard, 

how can I change it to other less dangerous user?, and
what privileges needs to have in order to work?

Our system is a RedHat 9.0, 2.4.21-20.ELsmp

Thanks,
Regards,

Lorenzo


-------------------------------------------------------------

Si usted no es el destinatario indicado en este mensaje o responsable como persona 
de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique 
al correo infosegura@nacion.com. Para más referencia sobre términos importantes 
relacionados a este correo visite http://www.nacion.com/disclaimer/index_es2.htm

If you are not the addressee indicated in this message (or responsible for delivery of the 
message to such person), you may not copy or send this message to anyone, please notify
to infosegura@nacion.com. Click here for important additional terms relating to this e-mail. 
<http://www.nacion.com/disclaimer/index_en2.htm>

-------------------------------------------------------------



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: How to change a running Tomcat with root user to other user.

[Parsons Technical Services <pa...@earthlink.net>]

There are several options:

1. Keep running as root. (Bad as noted)
2. Listen on port above 1024.
3. Apache front end.
4. Use jsvc to start Tomcat as root. Bind to ports and change user.

I think 4 is what you are looking for.

http://jakarta.apache.org/commons/daemon/jsvc.html

Doug

----- Original Message ----- 
From: "Lorenzo Jiménez" <lj...@nacion.co.cr>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, April 15, 2005 10:37 AM
Subject: How to change a running Tomcat with root user to other user.


Hi,

Today we saw that our Tomcat 5.0.28 had been installed and it is running 
with the root user.

Because is a security hazard,

how can I change it to other less dangerous user?, and
what privileges needs to have in order to work?

Our system is a RedHat 9.0, 2.4.21-20.ELsmp

Thanks,
Regards,

Lorenzo


-------------------------------------------------------------

Si usted no es el destinatario indicado en este mensaje o responsable como 
persona
de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor 
notifique
al correo infosegura@nacion.com. Para más referencia sobre términos 
importantes
relacionados a este correo visite 
http://www.nacion.com/disclaimer/index_es2.htm

If you are not the addressee indicated in this message (or responsible for 
delivery of the
message to such person), you may not copy or send this message to anyone, 
please notify
to infosegura@nacion.com. Click here for important additional terms relating 
to this e-mail.
<http://www.nacion.com/disclaimer/index_en2.htm>

-------------------------------------------------------------



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: How to change a running Tomcat with root user to other user.

[Anoop kumar V <an...@gmail.com>]

I strongly suggest that you look through the man pages of setuid.

Then u need to make adequate changes with setuid in your startup.sh
file which will help u start the process as a normal user even though
root has started the process during boot.

HTH
-Anoop


On 4/15/05, Lorenzo Jiménez <lj...@nacion.co.cr> wrote:
> Hi,
> 
> Today we saw that our Tomcat 5.0.28 had been installed and it is running with the root user.
> 
> Because is a security hazard,
> 
> how can I change it to other less dangerous user?, and
> what privileges needs to have in order to work?
> 
> Our system is a RedHat 9.0, 2.4.21-20.ELsmp
> 
> Thanks,
> Regards,
> 
> Lorenzo
> 
> -------------------------------------------------------------
> 
> Si usted no es el destinatario indicado en este mensaje o responsable como persona
> de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique
> al correo infosegura@nacion.com. Para más referencia sobre términos importantes
> relacionados a este correo visite http://www.nacion.com/disclaimer/index_es2.htm
> 
> If you are not the addressee indicated in this message (or responsible for delivery of the
> message to such person), you may not copy or send this message to anyone, please notify
> to infosegura@nacion.com. Click here for important additional terms relating to this e-mail.
> <http://www.nacion.com/disclaimer/index_en2.htm>
> 
> -------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


-- 
Thanks and best regards,
Anoop

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: How to change a running Tomcat with root user to other user.

[QM <qm...@brandxdev.net>]

On Fri, Apr 15, 2005 at 08:37:14AM -0600, Lorenzo Jim?nez wrote:
: Today we saw that our Tomcat 5.0.28 had been installed and it is running with
: the root user.
: how can I change it to other less dangerous user?, and
: what privileges needs to have in order to work?

You've already gotten some wise advice from other posters, so I'll just
add this:

if Tomcat doesn't need to bind to a privileged port (below 1024) then
you don't have to use jsvc or netfilter.  You can write an init script
that does one of the following:

1/ su - {user} -c {path to tomcat's startup.sh}
2/ use erni instead of su
3/ use sudo instead of su

In all three cases, the init script (running as root) will change to the
Tomcat user before starting Tomcat.


btw, if Tomcat's been running as root all this time, you'll have to do
some fine-tuning with the permissions to get it to work.  You *could*
just recursively chown the Tomcat dir to the nonroot user; but as long
as you're interested in security, you could determine which files need
to be writable and only chown those.  (Hint: logs, work dir, and maybe
the webapps dir depending on how strict is your deployment process.)

Write back if you want more info.  I've done this before, I just don't
have any examples right in front of me.

-QM

-- 

software   -- http://www.brandxdev.net/
tech news  -- http://www.RoarNetworX.com/
code scan  -- http://www.JxRef.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org