Ron Van den Branden wrote: > Hi all, > > I'm preparing for deploying Tomcat based web applications on a dedicated > server (finally!). I have experience with Tomcat webapps on my local > Windows machine, but am making myself familiar with a real-life > situation on a Ubuntu Linux server. > > From what I've read, chrooting Tomcat seems a sensible security measure, > documented in detail in O'Reilly's "Tomcat: the Definitive Guide" > (<http://oreilly.com/catalog/tomcat/chapter/ch06.pdf>). Before I start > messing around, however, I would like to clarify some concepts. > > If I > 1. setup Tomcat for virtual hosts, serving webapps from another > directory than %TOMCAT_HOME%/webapps, say > /var/www/virtualhosts/[virtualhost]/ > 2. install Tomcat in its chroot jail at /home/chroot/tomcat > ...will Tomcat be able to serve these webapps?
No, chrooting really does limit filesystem access to directories to within a specified directory tree. Whatever you want to access from a chrooted process must reside within that same chroot restriction. You might be able to set up chrooting so that Tomcat is able to access all virtual hosts, and so that each sftp/ssh update account only has access to the specific virtualhost directory tree, but for this case the Tomcat chroot point must be a common point above all the virtual hosts. So, if you f.ex. have a directory structure /a/b/tomcat /a/b/vhost1 /a/b/vhost2 ... then, if your Tomcat process is chrooted to /a/b/tomcat, it will not be able to access any directory which is not below the /a/b/tomcat directory. This is the whole and sole point of chrooting: the "root" directory accessible to a process is changed to something else than the real root directory of the underlying filesystem. Instead, if you chroot tomcat to /a/b, then it will be able to access anything wihtin /a/b, including all three abovementioned directories. Also, when you run a process chrooted, copies of all files needed by the process must exist within the chrooted environment (f.ex. all JDK files needed by Tomcat). Note though, that these (chrooting) questions have little or no relation with Tomcat as is, but would be more properly handled in an OS-related forum. -- ..Juha --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
