> From: [email protected] [mailto:[email protected]]
> I have the latest tomcat 6 installed under centos 5.2. The
> problem I am having is that it appears that I have to run
> tomcat as root user, because the spring app that tomcat
> starts needs to write files to other users' home directories.
> The tomcat user doesn't have access to these directories.
>
> I tried making these users part of a shared group, but to
> complicate the problem the users are jailed using jailkit.
> So it doesn't appear that jailkit lets me add group write
> privileges to the home directories and maintain a working jail.
>
> Can anyone suggest another alternative? I am not linux user
> expert so maybe there is an obvious solution i am missing?
Beyond Andre's solution of ACLs, there's another one that's more complex but
might be more secure. It requires a slight shift in architecture.
1) Run Tomcat as the tomcat user. Change the way it writes files, so that
instead of writing to the user directory it writes the details to a queue that
you have control over. That could be a database, or a chunk of filestore.
2) Write a second daemon that runs as root, that reads the queue, does whatever
checks you require so that it believes the queued requests are genuine, then
writes the queued items to the users' directories.
This reduces the attack surface of the system, in that tomcat's not running as
root. You'd have to be careful with the security of the daemon and the queue
but, if well-designed, the overall security may be better than running Tomcat
as root.
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
