Re: Security question about Multiple instances of Tomcat running as non-admin users on a single box
Our decision to replace the Mac os Xservers with Windows is purely financial. We already run our software on Windows and though Linux would be a good choice it is less expensive to support a single platform. We run as many as 15 apps on a single xServe box. The corresponding Oracle 10g databases run on a separate server. Everything is automated. Start up, shutdown, updates etc. are scripted and executed using sudo. Each app runs as a non-admin user and is secure and isolated from the other apps running on that box. The more I discuss this it appears to be more of an OS question than a tomcat question. Someone suggested a pilot program. We are currently replicating our multi-app server configuration on a windows box...trust but verify. Thanks to everyone for their replies on this question. Guy On 1/22/11 2:23 AM, Brett Delle Grazie brett.dellegra...@gmail.com wrote: On 21 January 2011 19:29, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: Guy - Why switch to Windows when you can still get OSX Server for Mac Pros or Minis? Why run Windows at all when you can switch to Linux and have all the command line goodness you were used to in Xserver? ;) That out of the way, Tomcat works basically the same on Windows as on Mac, except where running as a service is concerned. Yes, Tomcat will respect Windows permission settings, etc., just like any other Windows app. It should run under a non-admin account. You might have some issues allowing non-admins to start/stop the service however - if that is in your requirements. When all else fails, get you a Windows box and set Tomcat up as you'd like on it and see what problems occur when you try to use it the way you do now. It's called a pilot program. Jeff -Original Message- From: Guy Pontecorvo [mailto:guy.ponteco...@pearson.com] Sent: Friday, January 21, 2011 11:56 AM To: users@tomcat.apache.org Subject: Security question about Multiple instances of Tomcat running as non-admin users on a single box We currently run multiple instances of tomcat Version 6.0.20, each in its own non-admin user account under Mac OSX 10.5. This has been a great way to host multiple web applications (student information systems) on a single box. Each app is secure in its own user account space and can't read or write outside of its user directory. An administrator can manage them as a whole using sudo. Because Xserve is being discontinued we are considering the possibility of migrating our environment to Windows 2008 R2 We can create the users, run windows services using the credentials as a local user, name the service whatever we'd like, and stop, start it by that name via scripts. The biggest gotchas I can think of is can we get tomcat to run as a non-admin user and will tomcat respect ntfs file system permissions that should be setup for separate logs, temp files, etc.? We have too many instances to consider running each hosted app in its own vm. Thanks in advance for any advice or experience you can share. Guy Pontecorvo Engineering Manager School Systems 10911 White Rock Road Rancho Cordova, CA 95630 O: (916) 288-1804 M: (530) 701-8842 E: guy.ponteco...@pearson.com Pearson Always Learning Learn more at http://www.pearson.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security question about Multiple instances of Tomcat running as non-admin users on a single box
Hi, On 25 January 2011 18:00, Guy Pontecorvo guy.ponteco...@pearson.com wrote: We run as many as 15 apps on a single xServe box. The corresponding Oracle 10g databases run on a separate server. Everything is automated. Start up, shutdown, updates etc. are scripted and executed using sudo. Each app runs as a non-admin user and is secure and isolated from the other apps running on that box. For this reason alone I would use Linux. From what you have said, it should be near trivial to move your 15 apps from Xserve to Linux whereas to Windows you're going to have to configure everything again (separate user accounts, separate instances etc). Both solutions are feasible, it just depends upon: (a) the amount of work you want to do and (b) the experience you have with both operating systems. Good luck. -- Best Regards, Brett Delle Grazie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security question about Multiple instances of Tomcat running as non-admin users on a single box
On 21 January 2011 19:29, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: Guy - Why switch to Windows when you can still get OSX Server for Mac Pros or Minis? Why run Windows at all when you can switch to Linux and have all the command line goodness you were used to in Xserver? ;) That out of the way, Tomcat works basically the same on Windows as on Mac, except where running as a service is concerned. Yes, Tomcat will respect Windows permission settings, etc., just like any other Windows app. It should run under a non-admin account. You might have some issues allowing non-admins to start/stop the service however - if that is in your requirements. When all else fails, get you a Windows box and set Tomcat up as you'd like on it and see what problems occur when you try to use it the way you do now. It's called a pilot program. Jeff -Original Message- From: Guy Pontecorvo [mailto:guy.ponteco...@pearson.com] Sent: Friday, January 21, 2011 11:56 AM To: users@tomcat.apache.org Subject: Security question about Multiple instances of Tomcat running as non-admin users on a single box We currently run multiple instances of tomcat Version 6.0.20, each in its own non-admin user account under Mac OSX 10.5. This has been a great way to host multiple web applications (student information systems) on a single box. Each app is secure in its own user account space and can't read or write outside of its user directory. An administrator can manage them as a whole using sudo. Because Xserve is being discontinued we are considering the possibility of migrating our environment to Windows 2008 R2 We can create the users, run windows services using the credentials as a local user, name the service whatever we'd like, and stop, start it by that name via scripts. The biggest gotchas I can think of is can we get tomcat to run as a non-admin user and will tomcat respect ntfs file system permissions that should be setup for separate logs, temp files, etc.? We have too many instances to consider running each hosted app in its own vm. Thanks in advance for any advice or experience you can share. Guy Pontecorvo Engineering Manager School Systems 10911 White Rock Road Rancho Cordova, CA 95630 O: (916) 288-1804 M: (530) 701-8842 E: guy.ponteco...@pearson.com Pearson Always Learning Learn more at http://www.pearson.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Best Regards, Brett Delle Grazie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security question about Multiple instances of Tomcat running as non-admin users on a single box
Guy Pontecorvo schrieb am 21.01.2011 um 09:56 (-0800): We currently run multiple instances of tomcat Version 6.0.20, each in its own non-admin user account under Mac OSX 10.5. This has been a great way to host multiple web applications (student information systems) on a single box. Each app is secure in its own user account space and can't read or write outside of its user directory. But at the end of your message you write: We have too many instances to consider running each hosted app in its own vm. Well, why would you want to do that anyway? To increase application isolation? So do you have, say, three Tomcats, each in its own JVM, running under a user account of your choice, and each hosting, say, five apps? The biggest gotchas I can think of is can we get tomcat to run as a non-admin user and will tomcat respect ntfs file system permissions that should be setup for separate logs, temp files, etc.? Of course you can run Tomcat as non-admin. NTFS permissions is not something Tomcat may choose to respect or ignore, but something that is forced upon Tomcat by the OS. -- Michael Ludwig - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security question about Multiple instances of Tomcat running as non-admin users on a single box
On 1/21/11 5:56 PM, Guy Pontecorvo wrote: Because Xserve is being discontinued we are considering the possibility of migrating our environment to Windows 2008 R2 The JDK tools have a few more small functions on *nix than Windows - small but rather useful. This IMHO, is one key reason to stick with the same ancestry you have now. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Security question about Multiple instances of Tomcat running as non-admin users on a single box
We currently run multiple instances of tomcat Version 6.0.20, each in its own non-admin user account under Mac OSX 10.5. This has been a great way to host multiple web applications (student information systems) on a single box. Each app is secure in its own user account space and can't read or write outside of its user directory. An administrator can manage them as a whole using sudo. Because Xserve is being discontinued we are considering the possibility of migrating our environment to Windows 2008 R2 We can create the users, run windows services using the credentials as a local user, name the service whatever we'd like, and stop, start it by that name via scripts. The biggest gotchas I can think of is can we get tomcat to run as a non-admin user and will tomcat respect ntfs file system permissions that should be setup for separate logs, temp files, etc.? We have too many instances to consider running each hosted app in its own vm. Thanks in advance for any advice or experience you can share. Guy Pontecorvo Engineering Manager School Systems 10911 White Rock Road Rancho Cordova, CA 95630 O: (916) 288-1804 M: (530) 701-8842 E: guy.ponteco...@pearson.com Pearson Always Learning Learn more at http://www.pearson.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security question about Multiple instances of Tomcat running as non-admin users on a single box
Guy - Why switch to Windows when you can still get OSX Server for Mac Pros or Minis? That out of the way, Tomcat works basically the same on Windows as on Mac, except where running as a service is concerned. Yes, Tomcat will respect Windows permission settings, etc., just like any other Windows app. It should run under a non-admin account. You might have some issues allowing non-admins to start/stop the service however - if that is in your requirements. When all else fails, get you a Windows box and set Tomcat up as you'd like on it and see what problems occur when you try to use it the way you do now. It's called a pilot program. Jeff -Original Message- From: Guy Pontecorvo [mailto:guy.ponteco...@pearson.com] Sent: Friday, January 21, 2011 11:56 AM To: users@tomcat.apache.org Subject: Security question about Multiple instances of Tomcat running as non-admin users on a single box We currently run multiple instances of tomcat Version 6.0.20, each in its own non-admin user account under Mac OSX 10.5. This has been a great way to host multiple web applications (student information systems) on a single box. Each app is secure in its own user account space and can't read or write outside of its user directory. An administrator can manage them as a whole using sudo. Because Xserve is being discontinued we are considering the possibility of migrating our environment to Windows 2008 R2 We can create the users, run windows services using the credentials as a local user, name the service whatever we'd like, and stop, start it by that name via scripts. The biggest gotchas I can think of is can we get tomcat to run as a non-admin user and will tomcat respect ntfs file system permissions that should be setup for separate logs, temp files, etc.? We have too many instances to consider running each hosted app in its own vm. Thanks in advance for any advice or experience you can share. Guy Pontecorvo Engineering Manager School Systems 10911 White Rock Road Rancho Cordova, CA 95630 O: (916) 288-1804 M: (530) 701-8842 E: guy.ponteco...@pearson.com Pearson Always Learning Learn more at http://www.pearson.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org