-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 5/16/13 3:23 AM, André Warnier wrote: > Andrew Hunt wrote: >> Hi We have a Tomcat 7.0.39 instance with several applications >> running within it, but all running as the same user as the Tomcat >> instance. We have a new application we are wanting to add, but >> this needs to run with a different user as it has different >> accesses it needs that cannot be granted to the other >> applications. I have searched and read, but found anything that >> looks at this level of configuration. >> >> For example, /opt/apache-tomcat-7.0.39/bin/startup.sh is executed >> as 'fewperms'. It has an application /mydbprocessor that does >> stuff using a jdbc connection to a db that also executes as >> fewperms. I am now adding an application /mydeployer that needs >> to have sudo rights that 'fewperms' may not have (company >> policy). >> >> I would prefer not to have a separate instance of Tomcat to >> achieve this. Everything I have seen / read about so far is how >> to access TC as a user with a different user, not how to run an >> application as a different user. >> > > Well, you have to think that it would have to be the JVM which > runs Tomcat which would need to be able to switch to another user > on-the-fly, each time it runs that specific application. I do not > think that this can easily be done (and there is probably nothing > in Tomcat per se that would allow this). +1 I don't know of a multi-user OS that allows a process to run as more than one user at a time. You can switch-users, but the process must have that privilege to begin with, and often once you switch (e.g. to shed privileges), you can't get them back, so it's a one-way trip. > So I believe that you have no choice but to run another instance > under that separate user. +1 > That is probably a good case for an Apache httpd front-end and 2 > Tomcat back-ends. +1 I would also seriously reconsider running anything that requires "sudo" access through Tomcat... you are just asking for trouble from resource management all the way through security. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRlakjAAoJEBzwKT+lPKRYR98P/1Ny0KUcbeFqa/w8k0XFlf3U bmF2EhZA9LK8r30XNtBMVQMWNNFewDOwyjYCmLaSlgK8OmA76aFH8W8OMmCHo5tj Sl8n0d4u48cTgZDTHVUdmYtNNhj8lE4KW7HeqFfu9eJ/VZInKbgs+9A8RqsaAjLw d0afo7GgtlNQEiBjLffMcviQbXfHxgVa3If7NglnBsRpV+BbmFKjK8Ar8EnQ3IN8 i+3giyuAADX19MQOe3tNHE8yFZ47QB+eh1MArfW0W6TVfSylj0+Dfeh9GOO3ettL bEKv/w6/teYEpxUO3J4ZxF4ZKFwhyiIvFQMtDWaiXzOOQ9r7779Mih2eHkPgeKCd oCTL1BuXkTBqzfcH3+teH/51TfXOQHWIdP2X9NQWGjMsAlaiC6JgiuItz58/LCVw ESEpek063MKuRXL8j8qpH5MS8kcb/6r2MAz4nIbsdFbaFX6HZlXzdTrdtm8Kp59H ORIq2mjHIWPcDrcRVx+B+fPfwk2riqsKKYzbdatg6uzSBMcuu0rYdsQWTMcvWqEV FZ1yA0Tr2jF/SDeOJ3D4SN5KZBUD0nhfqXdKpwwA+0s1Zd6xUtyvyeTeWTG607hJ bTGpkVn/EmvkPoO5JKxIwMPcxBgldthdnK8UIpobx4Lik9AAc+nf4RVmUmq8vxtH cNdhK8+KleAlkeoZ3GEq =S2Y+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org