Chris, > Am 13.05.2020 um 16:42 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 5/13/20 02:48, logo wrote: >> Hi calder, >> >> >>> Am 13.05.2020 um 04:59 schrieb calder <calder....@gmail.com>: >>> >>> On Tue, May 12, 2020, 21:48 kohmoto <kohm...@iris.eonet.ne.jp> >>> wrote: >>> >>>> Hi, Calder, >>>> >>>> Thank you for your prompt reply. I think Tomcat binary files >>>> all have root priviledges. Should these priviledges should be >>>> changed to user priviledges? >>>> >>> >>> >>> Yes. >> >> I would suggest to leave the binaries and maybe even config files >> to root or any other admin. So a hacked tomcat process under tomcat >> user will not be able to exchange config or even binaries. > Yes! There really is no need for Tomcat to modify its own config files > or binaries. > >> That will only work if the config will not be changed via >> host-manager or programmatically. > > This shouldn't be too much of a problem. Not many people use the > host-manager. > >> In the past we even held the installed webapps under a different >> user. but that maybe difficult in automated deployments. > > This is less important IMO. The owner of the files can be anybody... > just not the Tomcat user. > > And, before anybody says "but.. but... Docker!" you should remember > that root in a Docker container often ends up having many more > privileges outside the container than you think it does/should. >
Never ignore this! As simple as adding the following to your Dockerfile ######## RUN set -x \ && groupadd tomcat \ && useradd -g tomcat -s /usr/bin/nologin -m -d /home/tomcat tomcat \ && chown -R tomcat:tomcat $CATALINA_HOME/logs $CATALINA_HOME/work $CATALINA_HOME/temp # add $CATALINA_HOME/webapps if you use the manager-app USER tomcat ######## before running the ENTRYPOINT or CMD. BTW: that is something that is really missing in the „Official“ Tomcat Docker images. (I know they are not maintained by ASF) Peter > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8 > pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar > EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4 > LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps > C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG > k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch > ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r > cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO > DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj > PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa > 5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG > q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc= > =V1n4 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
