I am guessing this is related to an earlier question?
Ubuntu - can non-root user run process in chroot jail?
To run Tomcat as root...*
Assuming you have installed the tomcat6 package from the Ubuntu repository edit the /etc/init.d/tomcat6 file and change the line:
TOMCAT6_USER=tomcat6
to read
TOMCAT6_USER=root
That being said...
Running Tomcat as root is not recommended in environments where it is accessible to untrusted clients (e.g. the Internet). The problem is if Tomcat or one of your web applications running within it are exploited in some manner they have full access to the underlying system. e.g. They can modify files, execute processes, etc.
Granted the chances of this are slim, but it is better to plan for the worst and hope for the best.
A more secure approach is to continue running Tomcat as the default tomcat6 user and have that call the external, chrooted process in a more isolated manner. How you do this depends on the process that is being called and what needs to occur.
If you post information on the process being called, what it is doing and why others will be able to help you identify the best way of achieving this. For example you could setup a monitor that executes the chrooted task whenever the contents of a directory change, or a local web service that Tomcat can call to run the process.
Chrooting is a good security measure, it limits the possibilities to compromise the system in case of a successfull exploit but there are also ways in some case to evade from a chroot, so it is not a definitive way to protect the system.
I'm not aware of any disavantage regarding performance and scalability. Concerning database access, it is generaly done with a link to the socket inside the chroot this way you don't have to open any networking port for database connectivity.
EDIT: below is a sample for mysql access taken from an OpenBSD rc.local (OpenBSD chrooted httpd)
if [ X"${mysql_server_flags-NO}" != X"NO" -a -x /usr/local/bin/mysqld_safe ]; then
rm -R /var/www/var/run/mysql
mkdir -p /var/www/var/run/mysql
chown _mysql:_mysql /var/www/var/run/mysql
echo -n 'MySQL server: '; /usr/local/bin/mysqld_safe --user=_mysql ${mysql_server_flags} &
sleep 10
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi
Hope this helps.
Best Answer
On Linux the chroot(2) system call can only be made by a process that is privileged. The capability the process needs is CAP_SYS_CHROOT.
The reason you can't chroot as a user is pretty simple. Assume you have a setuid program such as sudo that checks /etc/sudoers if you are allowed to do something. Now put it in a chroot chroot with your own /etc/sudoers. Suddenly you have an instant privilege escalation.
It is possible to design a program to chroot itself and run it as a setuid process, but this is generally considered bad design. The extra security of the chroot does not motivate the security issues with the setuid.