Post #306,020
3/23/09 1:37:23 AM
|
Question about Tomcat conventions.
My development team where I work is in the process of rewriting the main website from PHP to Java. Being part of a large company, though, we have a string of servers to test things on before it gets to "production". So some of these now have Tomcat installed with mod_jk in apache so we can serve the new part of the site from Java and the old part (and the subsidiary sites) from PHP.
The OS is CentOS using the packaged install as starting points. So Apache runs as it's own user. We also have a special user that owns the website code and files. Regarding the mod_jk and Tomcat setup, our Ops guy is out on the edge of his knowledge and my lead Java developer colleague is a bit (umm) evangelical about Java. He was transferred from another section who built their website on Java from scratch some years ago.
Currently, the Java deploy makes Tomcat run as root, and all the files are owned by root. :-/ I'm not completely happy with this. Googling finds several discussions about the question of running Tomcat as root, though no obvious resolution, apart from the fact that it seems to have been designed to. (However, since it's behind mod_jk, it's actually listening on a high port, so it would be easy to change.)
So, what's the IGM belief about Tomcat's user? Do people shy away from running it as root? Or do they let it run as root, but have the code owned by some other user? Or some other variation?
Wade.
"Ah -- I take it the doorbell doesn't work?"
|
Post #306,026
3/23/09 8:14:50 AM
|
We dont' run it as root.
Of course, we don't use mod_jk either. We proxy to it (mod_proxy) on dev workstations, and front it with an F5 in TST/QA/PRD.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #306,027
3/23/09 8:37:09 AM
|
dont run as root
|
Post #306,033
3/23/09 9:25:54 AM
|
Not that I disagree, but ...
I suspect he was looking more for explanations / reasons than just opinions.
--
Drew
|
Post #306,035
3/23/09 9:38:21 AM
|
I know just a general best practice,
unless there is a compelling business case never run an application as root as a general security precaution
|
Post #306,070
3/23/09 7:07:50 PM
|
Aye.
And experiences, too.
I'm going to ask on the other website we've copied from, too. In all probability, their Tomcat setup runs as root merely because no-one has grown the balls to change it.
AFIAK, Tomcat doesn't need root except for the ability to listen on port 80. But that's not needed for us because we're behind mod_jk. So.
Wade.
"Ah -- I take it the doorbell doesn't work?"
|
Post #306,034
3/23/09 9:36:51 AM
|
I would think that you wouldn't want it as root.
It seems to me that the general convention is that applications should only run as root when there is a pressing need for it. However...
http://linux-sxs.org...serving/c140.html
3.5. Running Tomcat as Non-Root User
I don't believe there any issues with running Tomcat as root user. However, for the more security-conscious readers out there, here are some instructions on running Tomcat as a non-root user.
At this stage, the Tomcat packages, files and binaries are owned by root. We will first need to create a Tomcat user and group that will own these files, and under which Tomcat will run.
Tomcat User :: tomcat
Tomcat Group :: tomcat
Not too imaginative, huh ? We will now create the Tomcat user and group. Open a terminal window and, as root,
# groupadd tomcat
# useradd -g tomcat -d /opt/tomcat tomcat
# passwd tomcat
Notice that we specified the home directory of Tomcat to be /opt/tomcat. Some people believe that this is good practice because it eliminates an additional home directory that needs to be administered.
Now, we will put everything in /opt/tomcat under Tomcat user and group. As root,
# chown -R tomcat:tomcat /opt/tomcat
If /opt/tomcat is a symlink to your Tomcat install directory, you'll need to do this:
# chown -R tomcat:tomcat /opt/jakarta-tomcat-5.x.xx
Verify that JAVA_HOME and CATALINA_HOME environment variables are setup for tomcat user, and you should be good to go. Once the Tomcat binaries are under Tomcat user, the way you invoke it will be different.
To start Tomcat,
# su - tomcat -c /opt/tomcat/bin/startup.sh
To stop Tomcat,
# su - tomcat -c /opt/tomcat/bin/shutdown.sh
Also, be aware that your web applications will need to be deployed (i.e. copied to the web application directories) as user tomcat, instead of root. A little more hassle, but possibly a little safer too.
FWIW.
Cheers,
Scott.
|
Post #306,037
3/23/09 9:47:30 AM
|
Informative, +5! :)
Alex
|
Post #306,068
3/23/09 6:59:05 PM
|
Yes, I saw those.
Although it was on another website and was prefaced with a paragraph that implied the author thought it was a waste of time to change the defaults. :-/
But I like, nonetheless.
Wade.
"Ah -- I take it the doorbell doesn't work?"
|
