Excellent, something to add in contrib area of tomcat 3.3.x and 4.x ? - Henri Gomez ___[_]____ EMAIL : [EMAIL PROTECTED] (. .) PGP KEY : 697ECEDD ...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>-----Original Message----- >From: Pier Fumagalli [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, June 18, 2002 1:27 AM >To: Jason Corley >Cc: Tomcat Users List; Tomcat Developers List >Subject: Re: chroot tomcat > > >"Jason Corley" <[EMAIL PROTECTED]> wrote: > >> Pier, >> Sorry for emailing you personally but I wasn't sure this is >tomcat-dev >> appropriate. Someone on tomcat-users is asking about chroot >and tomcat, and >> I've seen you mention in the past that you have this set up. > I don't know how >> frequently (or even if) you read tomcat-users, so I thought >I'd pass along the >> note that at least a few people are curious to know how you >set that up >> (myself included). Again, sorry for bugging you offline. >> Thanks, >> Jason > >Don't worry... It's not easy... Basically, you need to set up a small >environment to run a chrooted JVM... > >I found a little hack, though: with ldd you can start tracking >down what >libraries your JVM requires, and you copy them straight into >your chroot >environment /lib directory, right? Do it recursively, so that >you won't miss >any of them, then, just use this little bugger: > >#include <sys/types.h> >#include <unistd.h> >#include <string.h> >#include <errno.h> >#include <stdio.h> >#include <pwd.h> > >int main(int argc, char *argv[]) { > struct passwd *user=NULL; > char **args=NULL; > int x; > > if (argc<4) { > fprintf(stderr, "Usage: %s [user] [chroot] [command] >[...]\n",argv[0]); > return(1); > } > > if ((user=getpwnam(argv[1]))==NULL) { > fprintf(stderr, "%s cannot retrieve user \"%s\" >profile\n",argv[0],argv[1]); > return(2); > } > > if (chroot(argv[2])!=0) { > fprintf(stderr, "%s cannot chroot to >\"%s\"\n",argv[0],argv[2]); > return(2); > } > > if (setgroups(1,&user->pw_gid)!=0) { > fprintf(stderr, "%s cannot set groups id\n", argv[0]); > return(2); > } > > if (setgid(user->pw_gid)!=0) { > fprintf(stderr, "%s cannot set effective group id\n", argv[0]); > return(2); > } > > if (setegid(user->pw_gid)!=0) { > fprintf(stderr, "%s cannot set real group id\n", argv[0]); > return(2); > } > > if (setuid(user->pw_uid)!=0) { > fprintf(stderr, "%s cannot set effective user id\n", argv[0]); > return(2); > } > > if (seteuid(user->pw_uid)!=0) { > fprintf(stderr, "%s cannot set real user id\n", argv[0]); > return(2); > } > > args=(char **)malloc((argc-2)*sizeof(char *)); > for (x=3; x<argc; x++) args[x-3]=argv[x]; > args[argc-2]=NULL; > > execvp(argv[3], args); > fprintf(stderr, "%s: %s: %s\n", argv[0], argv[3], strerror(errno)); >} > >Marvel of marvels, you compile it statically (I called it >"safexec") run it >as root (DO NOT INSTALL IT SUID ROOT OR YOU WILL DIE) and all >it does is: > >1) retrieve the user information from the real /etc >2) chroot the environment >3) switch userid and groupid >4) execute a process... > >To launch tomcat, I usually copy /sbin/sh (the static shell) >in my chrooted >environment, install the VM in there, and install tomcat: a >layout might >look like: > >$CHROOT/ > /lib > /java > /tomcat > /bin > >In Lib I put the libraries required by the VM, in java I >install the JVM, in >tomcat the default tomcat distribution and in /bin the >statically linked sh >and the above little program compiled static as well... > >And then (magic): > >[root@myhost] ~ # exec env - \ > CATALINA_HOME=/tomcat \ > CATALINA_BASE=/tomcat \ > JAVA_HOME=/java \ > safexec \ > nobody $CHROOT /bin/sh -c "exec /tomcat/bin/catalina.sh start" > >And you get a nice chrooted tomcat 4.0 running as nobody, >without too much >hassle! :) > >It works on Solaris (you might have to tweak it for Linux, I >don't use that >"thing" and neither should you! :) There might be some errors >in what I've >written, my chrooted JVMs are all behind a firewall I can't access from >here, but, you'll figure a way! :) :) :) > >Oh, btw, we use it not only for Tomcat, but for quite a big set of Java >engines (ServletExec, Orion...). > > Pier (Ccing tomcat-user/dev for the records) > >-- >[Perl] combines all the worst aspects of C and Lisp: a >billion of different >sublanguages in one monolithic executable. It combines the >power of C with >the readability of PostScript. [Jamie Zawinski - DNA Lounge - >San Francisco] > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
