Servlet that needs ROOT access

[Paul McMahon <pm...@software.plasmon.com>]

Is it possible to run Tomcat as non ROOT (desirable as I see from FAQs/other 
threads), but have a servlet that needs ROOT access?

Or is the solution to have the servlet application code running as a separate 
daemon outside tomcat, with some form of comms to tomcat servlet when tasks 
need to be done?


-Paul

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Servlet that needs ROOT access

[David Smith <dn...@cornell.edu>]

Is it possible to run tomcat as root?  Yes.
Is it advised? No.

I think you're on the right track with the separate process idea.  That 
would limit the opportunities presented to would be hackers.  Another 
idea, you might be able to do something with the sudo command and 
Runtime.exec() as long as you have very tight control over what commands 
are executed that way.

--David

Paul McMahon wrote:

>Is it possible to run Tomcat as non ROOT (desirable as I see from FAQs/other 
>threads), but have a servlet that needs ROOT access?
>
>Or is the solution to have the servlet application code running as a separate 
>daemon outside tomcat, with some form of comms to tomcat servlet when tasks 
>need to be done?
>
>
>-Paul
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>  
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Servlet that needs ROOT access

[Li <am...@gmail.com>]

Hi Paul,

If you use root to run, which means tomcat can access anywhere as your
root can do
upload a simple script (if you application has that function can crash
your system),

if you create a specific user and group, and define permission nicely,
this specific user can only do specific thing as you dont need change
most of other user and group's permission

besides, you can ensure your tomcat by :
1. start it using "catalina.sh" with security manager, this would be
more strict and you have to define your policy well otherwise your
webapp will not even work
2. block certain hosts (assume you know some ip addresses or range
always trying to break into system...) put them into /etc/hosts.deny
3. only open ports that you need,
4. use firewall
5, ....

To make your tomcat secure is not just on tomcat itself but have to
consider OS wide.


Just Opinion, wish could help

Regards

Li

On 8/1/06, Paul McMahon <pm...@software.plasmon.com> wrote:
> Yes I meant as root user in Linux, not the ROOT webapp.
>
> I could try giving tomcat user root group access; this is also potentially a
> security hole though?
>
> On Tuesday 01 August 2006 12:14, you wrote:
> > It is possible to run as non root (assume the "root" here is "root"
> > for Unix/Linux?)
> > you can create a specific user say "tomcat" but still assign with
> > group root, or you can create group "tomcat", make sure your jdk is
> > accessible by the tomcat user and or group
> >
> > Is you mean the root application in tomcat, yes you can, simply copy
> > your web app structure (index.*, WEB-INF .... ) into root, or you can
> > modify the server.xml baseDoc pointing to / but not webapps, so when
> > you type xxx.xxx.xxx.xxx:8080, it will start up your application ....
> >
> > Not sure whether it is what you are asking..
> >
> > On 8/1/06, Paul McMahon <pm...@software.plasmon.com> wrote:
> > > Is it possible to run Tomcat as non ROOT (desirable as I see from
> > > FAQs/other threads), but have a servlet that needs ROOT access?
> > >
> > > Or is the solution to have the servlet application code running as a
> > > separate daemon outside tomcat, with some form of comms to tomcat servlet
> > > when tasks need to be done?
> > >
> > >
> > > -Paul
> > >
> > > ---------------------------------------------------------------------
> > > To start a new topic, e-mail: users@tomcat.apache.org
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
> -Paul McMahon
> -01763 261 466 ext 569
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
When we invent time, we invent death.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Servlet that needs ROOT access

[Paul McMahon <pm...@software.plasmon.com>]

Yes I meant as root user in Linux, not the ROOT webapp.

I could try giving tomcat user root group access; this is also potentially a 
security hole though?

On Tuesday 01 August 2006 12:14, you wrote:
> It is possible to run as non root (assume the "root" here is "root"
> for Unix/Linux?)
> you can create a specific user say "tomcat" but still assign with
> group root, or you can create group "tomcat", make sure your jdk is
> accessible by the tomcat user and or group
>
> Is you mean the root application in tomcat, yes you can, simply copy
> your web app structure (index.*, WEB-INF .... ) into root, or you can
> modify the server.xml baseDoc pointing to / but not webapps, so when
> you type xxx.xxx.xxx.xxx:8080, it will start up your application ....
>
> Not sure whether it is what you are asking..
>
> On 8/1/06, Paul McMahon <pm...@software.plasmon.com> wrote:
> > Is it possible to run Tomcat as non ROOT (desirable as I see from
> > FAQs/other threads), but have a servlet that needs ROOT access?
> >
> > Or is the solution to have the servlet application code running as a
> > separate daemon outside tomcat, with some form of comms to tomcat servlet
> > when tasks need to be done?
> >
> >
> > -Paul
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org

-- 
-Paul McMahon
-01763 261 466 ext 569

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Servlet that needs ROOT access

[Li <am...@gmail.com>]

It is possible to run as non root (assume the "root" here is "root"
for Unix/Linux?)
you can create a specific user say "tomcat" but still assign with
group root, or you can create group "tomcat", make sure your jdk is
accessible by the tomcat user and or group

Is you mean the root application in tomcat, yes you can, simply copy
your web app structure (index.*, WEB-INF .... ) into root, or you can
modify the server.xml baseDoc pointing to / but not webapps, so when
you type xxx.xxx.xxx.xxx:8080, it will start up your application ....

Not sure whether it is what you are asking..


On 8/1/06, Paul McMahon <pm...@software.plasmon.com> wrote:
> Is it possible to run Tomcat as non ROOT (desirable as I see from FAQs/other
> threads), but have a servlet that needs ROOT access?
>
> Or is the solution to have the servlet application code running as a separate
> daemon outside tomcat, with some form of comms to tomcat servlet when tasks
> need to be done?
>
>
> -Paul
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
When we invent time, we invent death.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org