Web-server – How to make Tomcat6 on Ubuntu 11.10 run as www-data

tomcatweb-server

How to change the user tomcat runs, to www-data?

I tried the same thing as How to run tomcat6 on ubuntu as root? but it doesnt cause any changes.

Best Answer

Here is how I just did it with tomcat6 installed..

I first stopped tomcat from running

/etc/init.d/tomcat6 stop

Changed the following in

/etc/default/tomcat6

To be the following

# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
# default of tomcat6.
TOMCAT6_USER=www-data

# Run Tomcat as this group ID. Not setting this or leaving it blank will use
# the default of tomcat6.
TOMCAT6_GROUP=www-data

Then I had to change ownership of the log directory

chown -R www-data: /var/log/tomcat6
chown -R www-data: /usr/lib/tomcat6
chown -R www-data: /etc/tomcat6

Then I was able to run tomcat6

/etc/init.d/tomcat6 start

See the results

# ps aux | grep tomcat
www-data 26436 11.3  0.7 559552 58464 ?        Sl   05:34   0:01 /usr/lib/jvm/java-6-openjdk/bin/java -Djava.util.logging.config.file=/var/lib/tomcat6/conf/logging.properties -Djava.awt.headless=true -Xmx128M -XX:+UseConcMarkSweepGC -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/share/tomcat6/endorsed -classpath /usr/share/tomcat6/bin/bootstrap.jar -Dcatalina.base=/var/lib/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.io.tmpdir=/tmp/tomcat6-tmp org.apache.catalina.startup.Bootstrap start

Related Solutions

Ubuntu – the Tomcat Logs

Very late to this discussion, but it appears that the 03catalina.policy file in both tomcat5.5 & tomcat6 doesn't actually permit writing to logfiles.

The simplest solution is to change the JULI permissions to:

// These permissions apply to JULI
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
    permission java.security.AllPermission;
};

Obviously, there may be security issues I'm not aware of, but I really can't be bothered to dig deeper - I've spent too long on this myself.

Ubuntu Tomcat – How to Run Tomcat6 as Root

I am guessing this is related to an earlier question?

Ubuntu - can non-root user run process in chroot jail?

To run Tomcat as root...*

Assuming you have installed the tomcat6 package from the Ubuntu repository edit the /etc/init.d/tomcat6 file and change the line:

TOMCAT6_USER=tomcat6

to read

TOMCAT6_USER=root

That being said...

Running Tomcat as root is not recommended in environments where it is accessible to untrusted clients (e.g. the Internet). The problem is if Tomcat or one of your web applications running within it are exploited in some manner they have full access to the underlying system. e.g. They can modify files, execute processes, etc.

Granted the chances of this are slim, but it is better to plan for the worst and hope for the best.

A more secure approach is to continue running Tomcat as the default tomcat6 user and have that call the external, chrooted process in a more isolated manner. How you do this depends on the process that is being called and what needs to occur.

If you post information on the process being called, what it is doing and why others will be able to help you identify the best way of achieving this. For example you could setup a monitor that executes the chrooted task whenever the contents of a directory change, or a local web service that Tomcat can call to run the process.

Best Answer

Related Solutions

Ubuntu – the Tomcat Logs

Ubuntu Tomcat – How to Run Tomcat6 as Root

Related Topic