[OFF-TOPIC] RE: Naïve question about root

["Turner, John" <JT...@AAS.com>]

Hi -

Not sure what you mean about "logged in as root".  Apache and Tomcat are
services, there is no need for anyone to be "logged in" to run them.

Apache needs to "run as root" to bind to port 80 (root is required to bind
to port numbers < 1024, this is by design in UNIX/Linux), but forks children
processes to handle actual HTTP requests.  Those children processes do not
run as root.

Root should only be allowed under two situations:  physcially sitting in
front of the system console (the keyboard and monitor physically connected
to the box), or after successfully logging in as a non-root user via SSH.
Logging in as root, even over SSH, via network is bad practice, because you
always want to know who is logging in as root.  If Bob and Alice both log in
as root over a network without first logging in with their respective
usernames, and one of them does something evil or stupid, you would have no
way of knowing which one of them did it (generally speaking).  However, if
they both log in as Bob and Alice, then Alice switches to root from a
command line using "su", then does something evil, the switch to root will
be in the system logs and you can track it.

In general, it is NOT safe to leave your box "logged in as root".  That's
dangerous practice, but can be expected from someone new to systems
administration.  You're much better off, though, understanding what services
are, how to start them, how to stop them, and how to make sure they run
without needing a user logged in.

Best practice is to SSH as a non-root user (for example, denise) to the box.
Then su to root by typing "su -" and hitting return.  This says "switch to
root and use root's profile".  You'll be prompted for root's password.  Then
start Apache.  As soon as you are done with Apache, type "exit" and hit
return.  Now you are back to denise.  To run Tomcat, most people create a
user called tomcat.  Then they su to tomcat with "su - tomcat" and then type
something like "$CATALINA_HOME/bin/startup.sh".  Once Tomcat starts
successfully, you type "exit" again and you are back to denise.

At that point, as denise, is the point where you want to start editing
files, writing source, etc.  Doing so as root is bad practice, as with root
you will never get a warning about something...root can do anything at
anytime anywhere on the system.  It only takes half a dozen keystrokes or so
to ruin your server for good, and unless you're really good with restoring
from backup tapes, you will probably need to reinstall.

In general, your webapp files should be owned by someone like denise, and be
in the group called "tomcat".  There should be a user tomcat and a group
tomcat.  By letting your application files exist with tomcat group
permissions, you can have the tomcat user execute them without having to
edit them as tomcat user.  A less elegant solution is to just edit your
files as denise, then su to root, then type something like "chown -R
tomcat:tomcat $CATALINA_HOME" and hit return.  That will set the owner and
group of everything from CATALINA_HOME down recursively to tomcat owner,
tomcat group.  But then you would have to give root to every developer,
which is not cool.

To answer your last question about "almost" root, there are any number of
different levels of permissions on a UNIX/Linux system, it's not as simple
as "root" or "not root".  If you want people to be able to do things as root
without actually being root or having the root password, you can use a tool
called sudo (which is short for "su do").  So, denise would log in, and
let's say you wanted to change the owner and group on every file in
CATALINA_HOME.  You would type "sudo chown -R tomcat:tomcat $CATALINA_HOME"
and then you would be prompted for the sudo password (not the same as root
password).  If the right password was given, the command would be performed
AS IF the user was root, but only that command.  After a configured amount
of time (5 minutes, immediately, whatever), the user would lose sudo
permissions and revert back to a regular user.

Sys-admin can get pretty involved...if you are putting things in production,
you will want to be concerned with these things, if only to protect the
stability of your server and the information contained on it.  I would
recommend picking up a book or two, maybe O'Reilly's "Essential System
Administration" along with O'Reilly's "UNIX in a Nutshell" or any other good
Linux systems adminstration book.

HTH

John


> -----Original Message-----
> From: Denise Mangano [mailto:DeniseM@complusdata.com]
> Sent: Tuesday, December 17, 2002 2:53 PM
> To: 'Tomcat Users List'
> Subject: Naïve question about root
> 
> 
> 
> I know this is a naïve question, and slightly irrelevant to 
> the newsgroup...
> 
> I keep getting told left and right not to work as root.  I heeded this
> advice a while back and created a user.  Here is the thing.  
> My RH 7.3 box,
> running Apache 1.3.27 & Tomcat 3.1.17 (no I haven't gotten 
> them connected
> with mod_jk yet:) ) is logged in as root.  But I work on my 
> files through a
> secure shell from my workstation, where I log in as the user 
> I created.  Is
> it not safe to leave my box logged in as root?
> 
> My concern is when people access my website can they somehow 
> get into my box
> and wreak havoc?  For example with my current setup people 
> are accessing a
> website hosted on a machine that is logged in with root 
> access....   Is it
> better that I sign in on the actual box as this created user 
> only changing
> login to root as needed or does the logon of the actual box 
> not matter as
> long as I am not messing around as root...?  If I should sign 
> onto the box
> as this user, how can I make sure this user has rights to 
> Apache and Tomcat?
> (as of right now this user has rights to execute java 
> commands, but I am not
> sure if there is anything special I need to do for apache and 
> tomcat).  On a
> side note is there anyway to create a user that has "almost" 
> root access but
> can't do the damage root can do?
> 
> Again naïve, but thought I would throw it out here anyway :) Thanks!!
> 
> Denise Mangano
> 
> --
> To unsubscribe, e-mail:   
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>