0

I'm well aware that running tomcat6 is really bad from a security point of view - and opens the box it is running on to all kinds of security risks and attack vectors. That said:

When I change the entry in the /etc/init.d/tomcat6 to

TOMCAT6_USER=root

and then run 

sudo /etc/init.d/tomcat6 start

I get 

[fail]

and nothing is written to the logs under /var/log/tomcat6 and no entry for tomcat6 is created under /var/run

How do I diagnose what is going wrong?

Additional - note that catalina.err and catalina.out have not been created.

The reason you'd want to do this is because (a) this is a virtual machine running on a dev box and (b) it executes a process in a chroot jail which will only run if executed by a root (c) the process that runs in the chroot jail is a software package which has been obtained from an external

user9517
  • 115,471
  • 20
  • 215
  • 297
Hawkeye
  • 2,699
  • 9
  • 30
  • 35

2 Answers2

1

Running Tomcat is no more insecure directly than running any other application server.

It's more down to common sense security concepts that will make your box safe. You should definitely be using some sort of firewall, especially if your box is public facing.

If your deployed application is insecure and vulnerable to SQL injection, then not even the most expensive servlet container is going to save you, you just have crappy code.

Don't run tomcat6 as root. I can't for the life of me imagine why you'd need/want to do this, and if you have "permissions problems" then You're Doing It Wrong.

I have maintained (and continue to maintain) a number of tomcat 5 and 6 servers running as their respective tomcat users, with no problem deploying webapps. Running servers as root is just too large a security risk, and often a totally unnecessary one.

If you really want to get to the bottom of it, the catalina.out and catalina.err files will probably have more information, but I think running as root is a potentially lethal idea, so I'd probably leave it as the default tomcat system user.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
  • 1
    +1, never run as root. If you really need to execute another process from your webserver, there are other options - compile a stub that runs as root, create a daemon and communicate with it etc. Don't go the easiest way just because that the first thing you think about. To answer the original question: You can diagnose what you do wrong by looking at your post: "TOMCAT_USER=root" is what is going wrong. Seriously. Really really seriously. – Olaf May 01 '10 at 12:21
1

The question being asked here appears to be - how would you debug a shell script to see what is going on - to do that you'd run it as:

sudo bash -x -v /etc/init.d/tomcat6 start

and read the output to see what is going on.

It actually looks like Ubuntu has been set up not to allow this easily. A whole load of directories have been set to ownership by the tomcat6 user only (ie not the root user). To see which ones they are - run the command

find / -user tomcat6

For the sake of respecting the intents of the Ubuntu/Tomcat6 packagers for security purposes - I'm not going to publish what you'd do after this.

Hawkeye
  • 2,699
  • 9
  • 30
  • 35