On Fri, Oct 16, 2009 at 03:31:00PM +0200, Petr Sumbera wrote: > Danek Duvall napsal(a): > >There's no way to get tomcat to start as root and setuid to webservd and/or > >drop all unnecessary privileges? Perhaps have the start method do the > >work? If not, then yeah, this is fine. > > Currently Tomcat SMF manifest takes care of setting 'webservd' > credentials and adding extra privilege 'net_privaddr'. > > I think it's not possible to do this later in start method. I mean to > combine 'su' command with 'ppriv'.
Don't use su(1M) -- SMF does not "login" services to their method_context users, which su(1M) would do for you here, rather inappropriately. Use pcred(1) and ppriv(1). Or better yet, keep things the way they are, don't bother with the PID file, modify the PID file consumers to use SMF interfaces to find the service process contract and its members' PIDs. Nico --
