You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lorenzo Jiménez <lj...@nacion.co.cr> on 2005/04/15 16:37:14 UTC
How to change a running Tomcat with root user to other user.
Hi,
Today we saw that our Tomcat 5.0.28 had been installed and it is running with the root user.
Because is a security hazard,
how can I change it to other less dangerous user?, and
what privileges needs to have in order to work?
Our system is a RedHat 9.0, 2.4.21-20.ELsmp
Thanks,
Regards,
Lorenzo
-------------------------------------------------------------
Si usted no es el destinatario indicado en este mensaje o responsable como persona
de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique
al correo infosegura@nacion.com. Para más referencia sobre términos importantes
relacionados a este correo visite http://www.nacion.com/disclaimer/index_es2.htm
If you are not the addressee indicated in this message (or responsible for delivery of the
message to such person), you may not copy or send this message to anyone, please notify
to infosegura@nacion.com. Click here for important additional terms relating to this e-mail.
<http://www.nacion.com/disclaimer/index_en2.htm>
-------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How to change a running Tomcat with root user to other user.
Posted by Parsons Technical Services <pa...@earthlink.net>.
There are several options:
1. Keep running as root. (Bad as noted)
2. Listen on port above 1024.
3. Apache front end.
4. Use jsvc to start Tomcat as root. Bind to ports and change user.
I think 4 is what you are looking for.
http://jakarta.apache.org/commons/daemon/jsvc.html
Doug
----- Original Message -----
From: "Lorenzo Jiménez" <lj...@nacion.co.cr>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, April 15, 2005 10:37 AM
Subject: How to change a running Tomcat with root user to other user.
Hi,
Today we saw that our Tomcat 5.0.28 had been installed and it is running
with the root user.
Because is a security hazard,
how can I change it to other less dangerous user?, and
what privileges needs to have in order to work?
Our system is a RedHat 9.0, 2.4.21-20.ELsmp
Thanks,
Regards,
Lorenzo
-------------------------------------------------------------
Si usted no es el destinatario indicado en este mensaje o responsable como
persona
de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor
notifique
al correo infosegura@nacion.com. Para más referencia sobre términos
importantes
relacionados a este correo visite
http://www.nacion.com/disclaimer/index_es2.htm
If you are not the addressee indicated in this message (or responsible for
delivery of the
message to such person), you may not copy or send this message to anyone,
please notify
to infosegura@nacion.com. Click here for important additional terms relating
to this e-mail.
<http://www.nacion.com/disclaimer/index_en2.htm>
-------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How to change a running Tomcat with root user to other user.
Posted by Anoop kumar V <an...@gmail.com>.
I strongly suggest that you look through the man pages of setuid.
Then u need to make adequate changes with setuid in your startup.sh
file which will help u start the process as a normal user even though
root has started the process during boot.
HTH
-Anoop
On 4/15/05, Lorenzo Jiménez <lj...@nacion.co.cr> wrote:
> Hi,
>
> Today we saw that our Tomcat 5.0.28 had been installed and it is running with the root user.
>
> Because is a security hazard,
>
> how can I change it to other less dangerous user?, and
> what privileges needs to have in order to work?
>
> Our system is a RedHat 9.0, 2.4.21-20.ELsmp
>
> Thanks,
> Regards,
>
> Lorenzo
>
> -------------------------------------------------------------
>
> Si usted no es el destinatario indicado en este mensaje o responsable como persona
> de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique
> al correo infosegura@nacion.com. Para más referencia sobre términos importantes
> relacionados a este correo visite http://www.nacion.com/disclaimer/index_es2.htm
>
> If you are not the addressee indicated in this message (or responsible for delivery of the
> message to such person), you may not copy or send this message to anyone, please notify
> to infosegura@nacion.com. Click here for important additional terms relating to this e-mail.
> <http://www.nacion.com/disclaimer/index_en2.htm>
>
> -------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
Thanks and best regards,
Anoop
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How to change a running Tomcat with root user to other user.
Posted by QM <qm...@brandxdev.net>.
On Fri, Apr 15, 2005 at 08:37:14AM -0600, Lorenzo Jim?nez wrote:
: Today we saw that our Tomcat 5.0.28 had been installed and it is running with
: the root user.
: how can I change it to other less dangerous user?, and
: what privileges needs to have in order to work?
You've already gotten some wise advice from other posters, so I'll just
add this:
if Tomcat doesn't need to bind to a privileged port (below 1024) then
you don't have to use jsvc or netfilter. You can write an init script
that does one of the following:
1/ su - {user} -c {path to tomcat's startup.sh}
2/ use erni instead of su
3/ use sudo instead of su
In all three cases, the init script (running as root) will change to the
Tomcat user before starting Tomcat.
btw, if Tomcat's been running as root all this time, you'll have to do
some fine-tuning with the permissions to get it to work. You *could*
just recursively chown the Tomcat dir to the nonroot user; but as long
as you're interested in security, you could determine which files need
to be writable and only chown those. (Hint: logs, work dir, and maybe
the webapps dir depending on how strict is your deployment process.)
Write back if you want more info. I've done this before, I just don't
have any examples right in front of me.
-QM
--
software -- http://www.brandxdev.net/
tech news -- http://www.RoarNetworX.com/
code scan -- http://www.JxRef.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org