Re: can't start cocoon under root
Hummm. I'm not running Apache as root (its running as nobody). It responds on port 80. I'm starting it with apachectl. Its generally a better idea to run Apache in front of tomcat for performance reasons. Tomcat is actually pretty slow on the scale of things, where Apache is actually pretty fast (especially 2.xx). If you let it handle the requests and forward them where appropriate you'll be a lot better off. Especially for images. -Andy Bruno Dumon wrote: On Thu, 2002-07-04 at 21:09, Thomas Garger wrote: but if i don't start tomcat as root, i can not run it under the port 80 - because only the root user has access rights to to ports below 1024. am i wrong?? no, that's right. or can i configure my linux system, that a normal-user (no root) van start tomcat under the port 90? Not that I know. Usually Apache is put in front of tomcat (using mod_jk to connect the two). Apache, being a native application, can start as root (so it can bind to port 80), and change the user id of the processes that handle the requests to another user. - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can't start cocoon under root
type $xhost+ on a terminal of the user witch started the X server. Kim PS: why you want to start tomcat under roor user ... this is normally a bad idea. Quoting Thomas Garger [EMAIL PROTECTED]: hi! i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 if i start tomcat under a normal user (not root) everthing works fine. but if i start tomcat under root user - and i want to access cocoon -there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified -the cocoon page puts out the following org.apache.cocoon.ProcessingException: Error compiling sitemap: java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. . . . -my startup.sh looks as following : export DISPLAY=212.186.159.80:0 BASEDIR=`dirname $0` $BASEDIR/catalina.sh start $@ if i don't put in the line export DISPLAY=212.186.159.80:0, than under a normal user it's also not working why this works with a non root user and not with root? greetings, tom - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can't start cocoon under root
-there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified -the cocoon page puts out the following org.apache.cocoon.ProcessingException: Error compiling sitemap: java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. I think batik uses the display (which explains why you can't use cocoon on a headless station). The user root is not allowed to access your display through the network. XFree 86 allows display of programs to be exported on distant hosts. It might be misconfigured in your case Try the command : xhost + (dangerous on a network) or xhost +127.0.0.1 or either xhost +your IP address 212.186.159.80 point to http://marc.theaimsgroup.com/?l=xml-cocoon-usersw=2r=1s=headless+linuxq=b for more explanations. Doc taken form http://xml.apache.org/cocoon/installing/index.html : UNIX with X server Cocoon is bundled with the Batik (SVG rasterization toolkit) to deliver SVG imaging capabilities. Batik uses Java java.awt library, which (at least in Sun JDK before 1.4) requires graphics display. This means that X server must be running and Cocoon should have permission to connect to it. Easiest way to avoid X server connection problem (and to have mentioned permission) is to install and run Cocoon and entire servlet engine of your choice under regular user account. For security, and many other reasons, X server can be replaced by Xfvb or PJA (alternative awt implementation). [Note] Sun JDK 1.4 does not require graphics display anymore, but Java has to be started with the argument -Djava.awt.headless=true Regards Benoît Clouet - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can't start cocoon under root
True. The processes handling the requests however run as nobody. I suppose one could still find a way to compromise the master process, but I find it way more likely that they'd compromise the children. Furthermore, Its still a horrid idea to run tomcat as root, as you're running *everything* under tomcat as root as well. -Andy On Fri, 2002-07-05 at 14:17, Bruno Dumon wrote: On Fri, 2002-07-05 at 15:48, Andrew C. Oliver wrote: Hummm. I'm not running Apache as root (its running as nobody). It responds on port 80. I'm starting it with apachectl. If it responds to port 80, the main httpd process is running with root privileges. The user that is used for the childprocesses handling the requests is normally specified using the 'User' directive in the httpd.conf -- Bruno - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- http://www.superlinksoftware.com - software solutions for business http://jakarta.apache.org/poi - Excel/Word/OLE 2 Compound Document in Java http://krysalis.sourceforge.net/centipede - the best build/project structure a guy/gal could have! - Make Ant simple on complex Projects! The avalanche has already started. It is too late for the pebbles to vote. -Ambassador Kosh - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
can't start cocoon under root
hi! i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 if i start tomcat under a normal user (not root) everthing works fine. but if i start tomcat under root user - and i want to access cocoon -there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified -the cocoon page puts out the following org.apache.cocoon.ProcessingException: Error compiling sitemap: java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. . . . -my startup.sh looks as following : export DISPLAY=212.186.159.80:0 BASEDIR=`dirname $0` $BASEDIR/catalina.sh start $@ if i don't put in the line export DISPLAY=212.186.159.80:0, than under a normal user it's also not working why this works with a non root user and not with root? greetings, tom - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can't start cocoon under root
On Thu, 2002-07-04 at 17:33, Thomas Garger wrote: hi! i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 if i start tomcat under a normal user (not root) everthing works fine. but if i start tomcat under root user - and i want to access cocoon -there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified As 'normal user' (the user who started X), enter 'xhost +' (in a console) to allow everyone to connect to your X server, or 'xhost +212.186.159.80' to allow only users from that host. (nothing cocoon-specific about that) -- Bruno Dumon http://outerthought.org/ Outerthought - Open Source, Java XML Competence Support Center [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can't start cocoon under root
just for the record. You really shouldn't run tomcat as root. Thomas Garger wrote: hi! i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 if i start tomcat under a normal user (not root) everthing works fine. but if i start tomcat under root user - and i want to access cocoon -there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified -the cocoon page puts out the following org.apache.cocoon.ProcessingException: Error compiling sitemap: java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. . . . -my startup.sh looks as following : export DISPLAY=212.186.159.80:0 BASEDIR=`dirname $0` $BASEDIR/catalina.sh start $@ if i don't put in the line export DISPLAY=212.186.159.80:0, than under a normal user it's also not working why this works with a non root user and not with root? greetings, tom - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: can't start cocoon under root
why not? could there be some security problems? which one? greetings, chris -Original Message- From: Andrew C. Oliver [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 04. Juli 2002 18:33 To: [EMAIL PROTECTED] Subject: Re: can't start cocoon under root just for the record. You really shouldn't run tomcat as root. Thomas Garger wrote: hi! i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 if i start tomcat under a normal user (not root) everthing works fine. but if i start tomcat under root user - and i want to access cocoon -there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified -the cocoon page puts out the following org.apache.cocoon.ProcessingException: Error compiling sitemap: java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. . . . -my startup.sh looks as following : export DISPLAY=212.186.159.80:0 BASEDIR=`dirname $0` $BASEDIR/catalina.sh start $@ if i don't put in the line export DISPLAY=212.186.159.80:0, than under a normal user it's also not working why this works with a non root user and not with root? greetings, tom - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: can't start cocoon under root
On Thu, 4 Jul 2002, Thomas Garger wrote: why not? could there be some security problems? which one? A cool application is to use the SourceWritingTransformer to override the passwd ;-) -Original Message- From: Andrew C. Oliver [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 04. Juli 2002 18:33 To: [EMAIL PROTECTED] Subject: Re: can't start cocoon under root just for the record. You really shouldn't run tomcat as root. Thomas Garger wrote: hi! i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 if i start tomcat under a normal user (not root) everthing works fine. but if i start tomcat under root user - and i want to access cocoon -there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified -the cocoon page puts out the following org.apache.cocoon.ProcessingException: Error compiling sitemap: java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. . . . -my startup.sh looks as following : export DISPLAY=212.186.159.80:0 BASEDIR=`dirname $0` $BASEDIR/catalina.sh start $@ if i don't put in the line export DISPLAY=212.186.159.80:0, than under a normal user it's also not working why this works with a non root user and not with root? greetings, tom - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can't start cocoon under root
I can't say. Why? The set of possibilities are infinite. This is a basic prinicipal of unix security. Never run any daemon as root. I for one always create a special user for tomcat. That way if tomcat is compromized, only that which tomcat owns or can write to is compromized. I usually create a special group as well and don't let tomcat own anything. Asking what are all the security holes is the wrong question. Read: http://www.tldp.org/HOWTO/Security-HOWTO/index.html - while it is aimed at linux, some applies universally to other unicies as well. Do you absolutely trust: 1. tomcat to never have a security hole 2. cocoon to never have a security hole 3. all applications (servlets/etc) running under Cocoon/tomcat to never have security holes. 4. if the answer to any of the above is no, then do you trust EVERY user on the network (for example the internet) to never ever do anything to try and exploit that. An example: Say you have a servlet/xsp/action/whatever that based on the passed in username writes an new file in /opt/tomcat/userinfo as to when the user logged in/etc with the username as the filename. You have two parameters, username and the message. The servlet/xsp/action/whatever gets executed on occassion as a service. Usernames are permitted to have web-address-illegal characters in them so you url-encode them. The message is anything. So I being a savy hacker set my username to ../../../etc/passwd and the log message to andy:ptpasswd: (can't rembmer the syntax but you get the point). Well thanks for root access, I'll just telnet (DISABLE TELNET and use SSH) into your box and format the hard drive or use it to hack into the military or crash yahoo with flood attacks or something... Those nice men in the black suits will be at your door shortly to question you about your internet usage... Okay...a bit of an exaggeration... Don't run tomcat (or anything else where you have a choice) as root. -Andy Thomas Garger wrote: why not? could there be some security problems? which one? greetings, chris -Original Message- From: Andrew C. Oliver [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 04. Juli 2002 18:33 To: [EMAIL PROTECTED] Subject: Re: can't start cocoon under root just for the record. You really shouldn't run tomcat as root. Thomas Garger wrote: hi! i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 if i start tomcat under a normal user (not root) everthing works fine. but if i start tomcat under root user - and i want to access cocoon -there is an error message in my catalin.out like this: Xlib: connection to 212.186.159.80:0.0 refused by server Xlib: No protocol specified -the cocoon page puts out the following org.apache.cocoon.ProcessingException: Error compiling sitemap: java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. . . . -my startup.sh looks as following : export DISPLAY=212.186.159.80:0 BASEDIR=`dirname $0` $BASEDIR/catalina.sh start $@ if i don't put in the line export DISPLAY=212.186.159.80:0, than under a normal user it's also not working why this works with a non root user and not with root? greetings, tom - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Please check that your question has not already been answered in the FAQ before posting. http://xml.apache.org/cocoon/faq/index.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]