[fedora-java] su to tomcat user?

[Gary Benson]

John M. Gabriele wrote:
> --- Gary Benson <gbenson at redhat.com> wrote:
> > John M. Gabriele wrote:
> > > I noticed there's a tomcat user on my system:
> > > 
> > > [root at localhost ~]# cat /etc/passwd | grep tom
> > > tomcat:x:91:91:Tomcat:/usr/share/tomcat5:/bin/sh
> > > 
> > > I'm just getting started using Tomcat on FC4.
> > > 
> > > Should I be su'ing to tomcat to work with files
> > > in (and copy files into) /var/lib/tomcat5?
> > > 
> > > Or do I work in there as root, then chown -R
> > > everthing to root:tomcat when I'm done?
> > 
> > Neither, ideally.  You should be able to work as root and leave
> > the files owned as root.  Or as any other user: I'll often create
> > a directory /var/lib/tomcat5/webapps/whatever and chown it
> > gary.gary, and then just work in there under my normal login.
> 
> What's the purpose of having a "tomcat" user on the system at all?

Most things that run as daemons have their own user, to limit the
effects of security vulnerabilities.  Malicious code inserted into
a daemon running as root can do _anything_.  Malicious code inserted
into a daemon running as an unprivileged user can only do what that
user can do, which should ideally be as little as possible.

Daemons historically ran as root, but those that still do are a
security nightmare.

> What's the point of having those links in /usr/share/tomcat5?

Because Tomcat expects to run out of one directory, but the FHS
dictates that the various different files in that directory should
live in various different places on the filesystem.

Cheers,
Gary