[fedora-java] su to tomcat user?

[Gary Benson]

Any time ;)

John M. Gabriele wrote:
> Thanks Gary!
> 
> http://www.simisen.com/jmg/pmwiki/pmwiki.php?n=Main.GNUJavaOnFedora
> 
> ---John
> 
> --- Gary Benson <gbenson at redhat.com> wrote:
> 
> > John M. Gabriele wrote:
> > > --- Gary Benson <gbenson at redhat.com> wrote:
> > > > John M. Gabriele wrote:
> > > > > I noticed there's a tomcat user on my system:
> > > > > 
> > > > > [root at localhost ~]# cat /etc/passwd | grep tom
> > > > > tomcat:x:91:91:Tomcat:/usr/share/tomcat5:/bin/sh
> > > > > 
> > > > > I'm just getting started using Tomcat on FC4.
> > > > > 
> > > > > Should I be su'ing to tomcat to work with files
> > > > > in (and copy files into) /var/lib/tomcat5?
> > > > > 
> > > > > Or do I work in there as root, then chown -R
> > > > > everthing to root:tomcat when I'm done?
> > > > 
> > > > Neither, ideally.  You should be able to work as root and leave
> > > > the files owned as root.  Or as any other user: I'll often create
> > > > a directory /var/lib/tomcat5/webapps/whatever and chown it
> > > > gary.gary, and then just work in there under my normal login.
> > > 
> > > What's the purpose of having a "tomcat" user on the system at all?
> > 
> > Most things that run as daemons have their own user, to limit the
> > effects of security vulnerabilities.  Malicious code inserted into
> > a daemon running as root can do _anything_.  Malicious code inserted
> > into a daemon running as an unprivileged user can only do what that
> > user can do, which should ideally be as little as possible.
> > 
> > Daemons historically ran as root, but those that still do are a
> > security nightmare.
> > 
> > > What's the point of having those links in /usr/share/tomcat5?
> > 
> > Because Tomcat expects to run out of one directory, but the FHS
> > dictates that the various different files in that directory should
> > live in various different places on the filesystem.
> > 
> > Cheers,
> > Gary