-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan,
On 4/14/2009 9:00 PM, Jonathan Mast wrote: > I've pretty much concluded that the problem is that the machine in question > is SELinux-enabled and that is cause of Tomcat's inability to access the > 8080 port (even though I can see tomcat on the process list, a "netstat -a" > indicates shows no entry for 8080). Ooooh... SELinux can be tough to deal with if you don't know what you're doing. It's /super/ restrictive, and rightly so. I would have expected an error message like "cannot bind to port 8080" in your catalina.out file if you really couldn't bind to port 8080, though. > 1) Why not run Tomcat as root? Security, security, security. There really is no need to run Tomcat as root, so why would you? If you have a misbehaving (or rogue) web application, it can really cause chaos if it's running as root. If you run it as a lowly common user, it can't do nearly so much damage. The same argument applies for not running MSIE on Windows as Administrator: if you get malware (and you /will/), you can't affect the machine's configuration, etc. unless you are an admin. > We have Tomcat running as root on our > current setup (Httpd 1.3.33, Tomcat 5.5, JDK 1.4), I presume Tomcat 6 (JDK > 1.6) running by itself must be more secure than our current situation. Any > comments? Yes, Tomcat alone should be more secure but there really is no reason to run Tomcat as root unless you are just really, really lazy. It's not that hard to run jsvc or set up iptables appropriately. > 2) My problem with jsvc is multiple: > a) it involves a language so evil it can only be referred to in paraphrase: > the letter between B and D. Have you actually read the instructions for it? I must admit that I didn't download it and read the instructions, but the wep site says it pretty plain and simple: $ ./configure --with-java=/path/to/java $ make Oh! The horror! Have you ever built anything using C before? This is how much packages work, and they work really well using the 'configure' business. Okay, I broke down and downloaded it. Here are the instructions for building from the README file at the top-level of the tarball: " cd src/native/unix; configure; make " The only problem with that is they forgot to include the "./" in front of 'configure' for those who don't have '.' in the search path (which is actually most people). It took somewhere in the neighborhood of 3 seconds to complete both the 'configure' and 'make' steps for me. > b) can't they even bother to link to the Jakarta-Whatever package that I > must now download and lug around? I mean c'mon ;-[ What is Jakarta-Whatever? I don't see any dependencies of any kind, here. > c) really, if all this stuff is the "correct" way to run Tomcat on linux, > why doesn't come as part of the distribution? Because jsvc is someone else's project. I suppose Tomcat could bundle it into the distro, but they haven't chosen to do so. There are also lots of people who don't use it. For instance, I run Tomcat on non-privileged ports and use httpd to front it. So, bundling it would not help people like me at all (but certainly wouldn't hurt us). The biggest problem with this kind of bundling is the fact that *NIX systems are so varied in configuration that jsvc really must be built on each individual system (hence the super-simple 'configure/make' procedure above). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknmFXEACgkQ9CaO5/Lv0PDLKACeNOWfXcT6TbJp9dw5ThuG0qRS CwUAoK7/K6wv7FrmlpqGaMjYqIzlfHaG =mHxZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
