Nicolas Williams wrote: > On Fri, Oct 16, 2009 at 03:31:00PM +0200, Petr Sumbera wrote: >> Danek Duvall napsal(a): >>> There's no way to get tomcat to start as root and setuid to webservd and/or >>> drop all unnecessary privileges? Perhaps have the start method do the >>> work? If not, then yeah, this is fine. >> Currently Tomcat SMF manifest takes care of setting 'webservd' >> credentials and adding extra privilege 'net_privaddr'. >> >> I think it's not possible to do this later in start method. I mean to >> combine 'su' command with 'ppriv'. > > Don't use su(1M) -- SMF does not "login" services to their > method_context users, which su(1M) would do for you here, rather > inappropriately. > > Use pcred(1) and ppriv(1). Or better yet, keep things the way they are, > don't bother with the PID file, modify the PID file consumers to use SMF > interfaces to find the service process contract and its members' PIDs.
Tomcat will be started as it's now (no su/pcred/ppriv). It will be just allowed to create pid file in /var/tomcat6/logs directory as it was already stated. Petr
