Wanted to followup on this as I just added 100 lines of permissions to catalina.policy encountering a similar error Tomcat typically runs as the 'nobody' account which as you guessed has very little permissions my suggestion is to run Tomcat under debug sh catalina.sh debug >run org.apache.catalina.startup.Bootstrap
and watch the permission errors multiply Note that you will have to grant RuntimePermission to pretty much every non-tomcat jar to run without exception as well as DB and Socket I/O also you'll have to do the same for acquiring and setting environment parameters HTH, Martin -- ********************************************************************* This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. ----- Original Message ----- From: "Peter Crowther" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Tuesday, August 01, 2006 8:46 AM Subject: RE: Servlet that needs ROOT access > From: Paul McMahon [mailto:[EMAIL PROTECTED] > Is it possible to run Tomcat as non ROOT, > but have a servlet that needs ROOT access? No. > Or is the solution to have the servlet application code > running as a separate > daemon outside tomcat, with some form of comms to tomcat > servlet when tasks need to be done? That would be my preference if I were implementing this. How much of your 'servlet application code' *actually* needs root access? Can you partition into a small piece that does, and most that doesn't? Minimising your attack surface in this way would probably be useful. Can you give us any more information about what you're doing that requires root? Does it *have* to require root, or can the requirement be reduced so that a non-root Tomcat can also do the same thing? In one sense this opens up an alternative hole; in another, depending on what you're doing, that may be better than allowing unrestricted root access to all tasks. - Peter --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
