Date: Fri, 29 Jul 2005 15:28:48 +0200 From: Herve Quiroz <herve.quiroz@esil.univ-mrs.fr> To: freebsd-java@freebsd.org Subject: Re: Tomcat 5.5 --- tomcat55ctl --- increase max vm heap space ? Message-ID: <20050729132848.GA96141@arabica.esil.univ-mrs.fr> In-Reply-To: <20050726192511.GD56293@osiris.chen.org.nz> References: <88B5DDE8C1A06741B754B910DE2DEFBB49AA2A@HERMES.swistgroup.com> <Pine.LNX.4.44.0507201730530.32505-100000@matrix.gatewaynet.com> <20050725212138.GA13849@arabica.esil.univ-mrs.fr> <20050726192511.GD56293@osiris.chen.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jonathan,
On Wed, Jul 27, 2005 at 07:25:11AM +1200, Jonathan Chen wrote:
> On Mon, Jul 25, 2005 at 11:21:38PM +0200, Herve Quiroz wrote:
> The major reason why Ernst introduced the daemonctl program was so that
> tomcat/jboss wouldn't be running as root. Having it run as root
> introduces the possibility of a root-hack via tomcat/jboss. If you can
> make it easily run under the `www' pseudo user that would be cool.
>
> The secondary purpose of the daemonctl program was convenience
> related: you don't have to be root to start the service, just a
> member of `www'. Dunno if you can easily replicate this with a shell
> script though.
Actually, the logic which allows to run the service as user 'www' is
implemented in the rc script, not in daemonctl.
Moreover, as reported in PR 83434 [1], there are already permission
issues with Tomcat ports. The executables should indeed belong to
root:wheel whereas data files and dirs should belong to www:www and be
664/775. Hence, any user from the 'www' group would be able to run
Tomcat but not to modify Tomcat core itself (as it is now).
After a deeper look at daemonctl.c, it appears that the most logic in it
is about PID storing/retrieving, arguments validating, and other
features that rcNG just happens do provide to any service daemon.
So IMHO, the only real problem we have with the rcNG/catalina.sh
approach lies in what Panagiotis just mentioned, that is the ability to
open port 80 for instance. Anyway, if we actually ensure that Tomcat is
run as 'www' and not as 'root', even daemonctl will not be able to use
port 80.
This leaves us with the following choice: should we enforce strong
security (i.e. PR 83434) and use ${name}_user from rcNG or should we
allow the daemon to open port 80 (running the daemon as superuser)? I
definitively believe we should go for security first. User can just set
tomcat55_user=root when then need to.
Either way, I don't see any more reason to use daemonctl.c, unless I
missed (or misunderstood) some point here.
The ports freeze is due to 1st of August, which leaves us with no much
time to implement the chosen approach. IMHO, such change right before a
release is no good anyway. OTOH, I think we should settle this issue
once and for all so that I may commit the changes right when the freeze
is over.
Herve
[1] http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/83434
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050729132848.GA96141>