You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "lauradiara@libero.it" <la...@libero.it> on 2002/03/29 13:41:34 UTC
Tomcat Nobody
Hi all,
I have two cosiderations about your Tomcat-nodody advices:
1) There is no tomcat4.conf in conf directory.
2) Your advice is to do
- chown nobody:nobody /usr/local/tomcat1
- su -l -c /usr/local/tomcat1/bin/startup.sh
There is a big problem with this procedure, in my opinion: the problem
is a security problem. We know that Apache runs as nobody, but the
directories are root:root. The father process forks child processes
which are nobody, so if someone tries to execute a cgi, this has no
privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1",
all directories are nobody, so anyone can write e do everything.
I'd like starting tomcat as apache, with the same security policy.
Is it possible?
What do you think?
Thanks for your help
Laura
Re: Tomcat Nobody
Posted by Laura <la...@libero.it>.
Hi all,
I have followed your advice and it seems ok! Tomcat is started (with apache ).
In my configuration I have apache + two tomcat (4.0.3) with load balacing (I
use mod_jk).
I have seen, with top command, all my resources taken by the two tomcat.
Is it normal?
Must I configure something?
Thanks
Laura
Alle 14:17, venerdì 29 marzo 2002, hai scritto:
> > I have two cosiderations about your Tomcat-nodody advices:
> >
> > 1) There is no tomcat4.conf in conf directory.
> >
> > 2) Your advice is to do
> > - chown nobody:nobody /usr/local/tomcat1
> > - su -l -c /usr/local/tomcat1/bin/startup.sh
> >
> > There is a big problem with this procedure, in my opinion: the problem
> > is a security problem. We know that Apache runs as nobody, but the
> > directories are root:root. The father process forks child processes
> > which are nobody, so if someone tries to execute a cgi, this has no
> > privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1",
> > all directories are nobody, so anyone can write e do everything.
> >
> > I'd like starting tomcat as apache, with the same security policy.
>
>
> First of all, you need to know what you'll be protecting and from whom. I'd
> suggest user "tomcat" and group "tomcat". The vital directories should be
> owned by "root:tomcat". The files should be accessable to tomcat user
> (which should be in group tomcat).
> chown -R root:tomcat $CATALINA_HOME
> find $CATALINA_HOME -type f -exec chmod 640 {} \;
> find $CATALINA_HOME -type d -exec chmod 750 {} \;
> chmod 750 $CATALINA_HOME/bin/*.sh
>
> This way, only members of "tomcat" group can access those files. They
> should not be world readable, especially "./conf/", since you could be
> storing sensitive data there (database connection parameters, passwords,
> etc.). After this, you should be able to run Tomcat under user "tomcat".
> One word of caution: only root can open ports below TCP:1024. So, setting
> up a HTPP connector on port 80 will fail. 8080 and WARP should be fine.
> This idea can be developed further, with virtual hosts placed in separate
> user accounts, both for Apache and Tomcat. The question of access will
> arise, of course. Owners of virtual hosts shouldn't be in "tomcat" group. A
> directory where they would deploy their web applications should be
> accessable by Tomcat, but they should be able to upload content to it as
> well.
> Nix.
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Tomcat Nobody
Posted by Nikola Milutinovic <Ni...@ev.co.yu>.
> I have two cosiderations about your Tomcat-nodody advices:
>
> 1) There is no tomcat4.conf in conf directory.
>
> 2) Your advice is to do
> - chown nobody:nobody /usr/local/tomcat1
> - su -l -c /usr/local/tomcat1/bin/startup.sh
>
> There is a big problem with this procedure, in my opinion: the problem
> is a security problem. We know that Apache runs as nobody, but the
> directories are root:root. The father process forks child processes
> which are nobody, so if someone tries to execute a cgi, this has no
> privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1",
> all directories are nobody, so anyone can write e do everything.
>
> I'd like starting tomcat as apache, with the same security policy.
First of all, you need to know what you'll be protecting and from whom. I'd suggest user "tomcat" and group "tomcat". The vital directories should be owned by "root:tomcat". The files should be accessable to tomcat user (which should be in group tomcat).
chown -R root:tomcat $CATALINA_HOME
find $CATALINA_HOME -type f -exec chmod 640 {} \;
find $CATALINA_HOME -type d -exec chmod 750 {} \;
chmod 750 $CATALINA_HOME/bin/*.sh
This way, only members of "tomcat" group can access those files. They should not be world readable, especially "./conf/", since you could be storing sensitive data there (database connection parameters, passwords, etc.). After this, you should be able to run Tomcat under user "tomcat".
One word of caution: only root can open ports below TCP:1024. So, setting up a HTPP connector on port 80 will fail. 8080 and WARP should be fine.
This idea can be developed further, with virtual hosts placed in separate user accounts, both for Apache and Tomcat. The question of access will arise, of course. Owners of virtual hosts shouldn't be in "tomcat" group. A directory where they would deploy their web applications should be accessable by Tomcat, but they should be able to upload content to it as well.
Nix.