Re: running tomcat as a non-root user?

[Ben Ricker]

On Tue, 2002-12-31 at 18:13, waimun wrote:

> P.S. Btw, does anyone know is there a way where I could run w/o login/su'ing to 
>normal user; ie as root, fire up startup.sh but processes created will be by owner of 
>the tomcat files?

Just create a init-like script that calls the startup.sh using 'su'. The
line would read something like: 'su tomcat -c "/path/to/startup.sh".
Then, you can run the init script as root and, well, use it as an init
script!

Ben Ricker
Wellinx.com

> On Wed, Jan 01, 2003 at 02:21:47AM +0530, karthikeyan.balasubramanian wrote:
> > Hi can you tell what are all the steps you followed.
> > 
> > Would be helpful for me in future when i do this.
> > 
> > karthikeyan.
> > - Original Message -
> > From: "waimun" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 31, 2002 8:41 AM
> > Subject: Re: running tomcat as a non-root user?
> > 
> > 
> > >
> > > Thanks to all those who responded; John, Mike, Jerry, Ben, Noel. Yes, I
> > got it working.
> > >
> > > Season greetings.
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> > 
> > 
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- 
Ben Ricker <[EMAIL PROTECTED]>
Wellinx.com


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: running tomcat as a non-root user?

[Turner, John]

Not really.  sudo is more for running tasks as another user, typically root,
that have some endpoint.  Since Tomcat is a service, you are better off
creating a start script that does something like:

su - tomcat -c $CATALINA_HOME/bin/startup.sh

If you run the startup script as root, the "- tomcat -c" in the command says
"switch to user tomcat, get user tomcat's environment, and execute the
command that follows". When Tomcat's startup scripts exit, you will be back
at a root prompt, with the Tomcat service continuing as whatever user you
had on the su command line.

John


> -Original Message-
> From: karthikeyan.balasubramanian
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 02, 2003 3:25 PM
> To: Tomcat Users List
> Subject: Re: running tomcat as a non-root user?
> 
> 
> Thanks.
> 
> I think you can use "sudo" for this job.
> 
> Karthikeyan.
> - Original Message -
> From: "waimun" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, January 01, 2003 5:43 AM
> Subject: Re: running tomcat as a non-root user?
> 
> 
> >
> > Hi Karthikeyan:
> > What I did was basically following those previous mails' help hints.
> First, I created a directory base for my tomcat files, using 
> that I created
> a tomcat user for that and disable shell access also since I 
> feel that it's
> not needed. Following that, I fire up the tomcat thru 
> startup.sh as usual
> (su and/or login); take note also that if you are binding to port80 or
> <1024, then you'll still root access [this is also highlighted by the
> replies]. Of course, if you want more customization, you can 
> then create the
> rc"s, and I think that was also mentioned in one of the contributors
> replies.
> >
> > Good luck, and Happy new year.
> >
> > P.S. Btw, does anyone know is there a way where I could run w/o
> login/su'ing to normal user; ie as root, fire up startup.sh 
> but processes
> created will be by owner of the tomcat files?
> >
> > On Wed, Jan 01, 2003 at 02:21:47AM +0530, 
> karthikeyan.balasubramanian
> wrote:
> > > Hi can you tell what are all the steps you followed.
> > >
> > > Would be helpful for me in future when i do this.
> > >
> > > karthikeyan.
> > > - Original Message -
> > > From: "waimun" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, December 31, 2002 8:41 AM
> > > Subject: Re: running tomcat as a non-root user?
> > >
> > >
> > > >
> > > > Thanks to all those who responded; John, Mike, Jerry, 
> Ben, Noel. Yes,
> I
> > > got it working.
> > > >
> > > > Season greetings.
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > >
> > >
> > >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> 
> 
> 
> --
> To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: running tomcat as a non-root user?

[karthikeyan.balasubramanian]

Thanks.

I think you can use "sudo" for this job.

Karthikeyan.
- Original Message -
From: "waimun" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 01, 2003 5:43 AM
Subject: Re: running tomcat as a non-root user?


>
> Hi Karthikeyan:
> What I did was basically following those previous mails' help hints.
First, I created a directory base for my tomcat files, using that I created
a tomcat user for that and disable shell access also since I feel that it's
not needed. Following that, I fire up the tomcat thru startup.sh as usual
(su and/or login); take note also that if you are binding to port80 or
<1024, then you'll still root access [this is also highlighted by the
replies]. Of course, if you want more customization, you can then create the
rc"s, and I think that was also mentioned in one of the contributors
replies.
>
> Good luck, and Happy new year.
>
> P.S. Btw, does anyone know is there a way where I could run w/o
login/su'ing to normal user; ie as root, fire up startup.sh but processes
created will be by owner of the tomcat files?
>
> On Wed, Jan 01, 2003 at 02:21:47AM +0530, karthikeyan.balasubramanian
wrote:
> > Hi can you tell what are all the steps you followed.
> >
> > Would be helpful for me in future when i do this.
> >
> > karthikeyan.
> > - Original Message -
> > From: "waimun" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 31, 2002 8:41 AM
> > Subject: Re: running tomcat as a non-root user?
> >
> >
> > >
> > > Thanks to all those who responded; John, Mike, Jerry, Ben, Noel. Yes,
I
> > got it working.
> > >
> > > Season greetings.
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: running tomcat as a non-root user?

[waimun]

Hi Karthikeyan:
What I did was basically following those previous mails' help hints. First, I created 
a directory base for my tomcat files, using that I created a tomcat user for that and 
disable shell access also since I feel that it's not needed. Following that, I fire up 
the tomcat thru startup.sh as usual (su and/or login); take note also that if you are 
binding to port80 or <1024, then you'll still root access [this is also highlighted by 
the replies]. Of course, if you want more customization, you can then create the rc"s, 
and I think that was also mentioned in one of the contributors replies.

Good luck, and Happy new year.

P.S. Btw, does anyone know is there a way where I could run w/o login/su'ing to normal 
user; ie as root, fire up startup.sh but processes created will be by owner of the 
tomcat files?

On Wed, Jan 01, 2003 at 02:21:47AM +0530, karthikeyan.balasubramanian wrote:
> Hi can you tell what are all the steps you followed.
> 
> Would be helpful for me in future when i do this.
> 
> karthikeyan.
> - Original Message -
> From: "waimun" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, December 31, 2002 8:41 AM
> Subject: Re: running tomcat as a non-root user?
> 
> 
> >
> > Thanks to all those who responded; John, Mike, Jerry, Ben, Noel. Yes, I
> got it working.
> >
> > Season greetings.
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> 
> 

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: running tomcat as a non-root user?

[karthikeyan.balasubramanian]

Hi can you tell what are all the steps you followed.

Would be helpful for me in future when i do this.

karthikeyan.
- Original Message -
From: "waimun" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 31, 2002 8:41 AM
Subject: Re: running tomcat as a non-root user?


>
> Thanks to all those who responded; John, Mike, Jerry, Ben, Noel. Yes, I
got it working.
>
> Season greetings.
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: running tomcat as a non-root user?

[waimun]

Thanks to all those who responded; John, Mike, Jerry, Ben, Noel. Yes, I got it working.

Season greetings.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: running tomcat as a non-root user?

[Noel J. Bergman]

> Additionally, you can add the "su tomcat -c" in a wrapper script

That is basically what I do.  It has the advantage that you can put
different tomcats under different users (and thus enforce file system
access).

Even better would be to chroot tomcat.  I don't have that worked out (yet).

--- Noel


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: running tomcat as a non-root user?

[Ben Ricker]

Additionally, you can add the "su tomcat -c" in a wrapper script that
calls the startup.sh file. Mine looks like this:

case "$1" in
  start)
echo -n "Starting Tomcat..."
/bin/su tomcat -c "/usr/local/tomcat1/bin/startup.sh" 
/bin/su tomcat -c "/usr/local/tomcat2/bin/startup.sh"
;;

That way, you CAN use root (and a startup script) to start Tomcat and
still get the security benefits of running as an unpriveledged, locked
user.

Ben Ricker
Wellinx.com

On Mon, 2002-12-30 at 12:15, Turner, John wrote:
> assume a user named 'tomcat' already created, and a group named 'tomcat'
> already created.
>  
> at a command prompt, as root:
> 
> chown -R tomcat:tomcat $CATALINA_HOME
> su - tomcat
> $CATALINA_HOME/bin/startup.sh
> exit
> 
> Note that if you are running Tomcat on port 80, it must run as root.  You
> shouldn't have to change the permissions on any of the Tomcat files from
> what they are in a default install...I never have.
> 
> John
> 
> 
> 
> -Original Message-
> From: waimun
> To: [EMAIL PROTECTED]
> Sent: 12/30/02 10:25 AM
> Subject: running tomcat as a non-root user?
> 
> Hi,
> 
> Has anybody tried running tomcat as a non-root user in Linux? If so, how
> do you proceed (ie. making script setuid doesn't work for me). Pls
> advice.
> 
> Thanks alot!
> 
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- 
Ben Ricker <[EMAIL PROTECTED]>
Wellinx.com


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: running tomcat as a non-root user?

[Turner, John]

assume a user named 'tomcat' already created, and a group named 'tomcat'
already created.
 
at a command prompt, as root:

chown -R tomcat:tomcat $CATALINA_HOME
su - tomcat
$CATALINA_HOME/bin/startup.sh
exit

Note that if you are running Tomcat on port 80, it must run as root.  You
shouldn't have to change the permissions on any of the Tomcat files from
what they are in a default install...I never have.

John



-Original Message-
From: waimun
To: [EMAIL PROTECTED]
Sent: 12/30/02 10:25 AM
Subject: running tomcat as a non-root user?

Hi,

Has anybody tried running tomcat as a non-root user in Linux? If so, how
do you proceed (ie. making script setuid doesn't work for me). Pls
advice.

Thanks alot!

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: running tomcat as a non-root user?

[Jerry]

Waimun:

I run Tomcat as non-root.

Apache has to be run as root if you use the default port 80, but Tomcat 
has no such requirement.  

If you installed Tomcat as root, use chown to change owner for all 
files and subdirectores of your tomcat installation, then you should be 
able to run it as the user that owns the installation.  

Or reinstall into a non-root area.

Jerry

waimun wrote:

Hi,

Has anybody tried running tomcat as a non-root user in Linux? If so, how do you proceed (ie. making script setuid doesn't work for me). Pls advice.

Thanks alot!

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
 




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: running tomcat as a non-root user?

[Mike Millson]

I have a howto document in pdf and sxw (Open Office) format that may be of
help.

http://www.atsga.com/docs/

Mike

-Original Message-
From: waimun [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 30, 2002 10:25 AM
To: [EMAIL PROTECTED]
Subject: running tomcat as a non-root user?


Hi,

Has anybody tried running tomcat as a non-root user in Linux? If so, how do
you proceed (ie. making script setuid doesn't work for me). Pls advice.

Thanks alot!

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

running tomcat as a non-root user?

[waimun]

Hi,

Has anybody tried running tomcat as a non-root user in Linux? If so, how do you 
proceed (ie. making script setuid doesn't work for me). Pls advice.

Thanks alot!

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>