2

I've got an existing software package that runs on Ubuntu that uses a chroot jail and so needs to be run as root. I want to exec this from a java web application running within Tomcat6 on Ubuntu, so presumably I have to run Tomcat6 as root instead of the Tomcat6 user.

How do I go about changing tomcat6 to run as root instead of the tomcat6 user?

Hawkeye
  • 2,699
  • 9
  • 30
  • 35
  • Can you elaborate on what you mean by "I want to exec this from Tomcat6 on Ubuntu"? Do you have a Java web application running within Tomcat that needs to initiate a separate process on the Linux server, or is root access needed for directory/file permission reasons? – David Harrison Apr 26 '10 at 20:01

2 Answers2

4

I am guessing this is related to an earlier question?

Ubuntu - can non-root user run process in chroot jail?

To run Tomcat as root...*

Assuming you have installed the tomcat6 package from the Ubuntu repository edit the /etc/init.d/tomcat6 file and change the line:

TOMCAT6_USER=tomcat6

to read

TOMCAT6_USER=root

That being said...

Running Tomcat as root is not recommended in environments where it is accessible to untrusted clients (e.g. the Internet). The problem is if Tomcat or one of your web applications running within it are exploited in some manner they have full access to the underlying system. e.g. They can modify files, execute processes, etc.

Granted the chances of this are slim, but it is better to plan for the worst and hope for the best.

A more secure approach is to continue running Tomcat as the default tomcat6 user and have that call the external, chrooted process in a more isolated manner. How you do this depends on the process that is being called and what needs to occur.

If you post information on the process being called, what it is doing and why others will be able to help you identify the best way of achieving this. For example you could setup a monitor that executes the chrooted task whenever the contents of a directory change, or a local web service that Tomcat can call to run the process.

Community
  • 1
David Harrison
  • 441
  • 2
  • 5
  • It's probably worth noting that Tomcat in Ubuntu is setup not to allow easily changing the user just in the file. Several directories have been set up as the tomcat6 user only - and can't be used by tomcat6 as the root user. Clearly the intentions of the Ubuntu packagers were that you shouldn't need to change the user for security reasons. If you really need to get around this - then you'd do something like this: http://snipplr.com/view/14971/change-ownership-of-all-files-owned-by-user1-to-user2/ – Hawkeye May 01 '10 at 23:37
  • If you want to run Tomcat as root this isn't a problem because root trumps everything. However if you want to run it as a non-root account you'll need to make these permission changes. – David Harrison May 02 '10 at 00:27
1

Couldn't you set the sticky bit of the software package executable? This would have it always run as the owner of the file, which would be root in this case.

Make the binary executable by all users (or at least, a group which includes tomcat6) and set the user sticky bit.

$sudo chmod +x binary

OR

$sudo chmod 750 binary //(with tomcat6 in the group of the file's group)

then

$sudo chmod u+s binary

That should do it, unless it doesn't. I don't have practical experience with chroot but in a standard setup this would work.

Also, could one add tomcat6 to the sudoers file, and allow it to run this one "binary" with no password verification?

Think about it.

Luke has no name
  • 1,249
  • 1
  • 12
  • 14