Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

Process permissions

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Process permissions
# 1  
Old 10-23-2003
Process permissions
All

I have the following situation:
OS: Debian Woody
Apache/ Tomcat 4
I want to be able to start apache and tomcat from a script as a non-root user (www-data/ skotapal).
What I have done so fat is:
1. Created a new group called 'appgroup'
2. Added a couple of users (skotapal, www-data, user1, user2, etc) to the group appgroup
3. Changed the ownership of the tomcat binaries to be owned by www-data:appgroup by the group
4. Changed the ownership of the apache docroot (/var/www/) to www-data:appgroup
5. changed the ownership of the tomcat application directory (/usr/share/tomcat4) to www-data:appgroup.
6. the apache docroot and tomcat files are 774 so that they are executable by the group 'appgroup'

Now the problem is, I cannot start apache as a non-root user, tomcat however starts up as skotapal/ user1/ user2.
Questions:
1. Is it is security risk in having tomcat run as a non-root user who has a shell?
2. how can I start apache + tomcat as non-root user and have the process owned by another user (one that does not have a shell account)?

Please advise!

Thanks

KS
# 2  
Old 10-23-2003
im unsure how much differnt hpux is next to solaris but this is how i have my apache running as user nobody.

chown -R nobody:nobody /usr/local/apache


Code:
# ls -l /etc/rc2.d|grep apache
-rwxr--r--   6 root     sys          802 Jun 25  2002 K16apache
# ls -l /etc/rc3.d|grep apache
-rwxr--r--   6 root     sys          802 Jun 25  2002 S50apache


# id nobody
uid=60001(nobody) gid=60001(nobody)
# grep nobody /etc/passwd
nobody:x:60001:60001:Nobody:/:

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#    suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000;
#  don't use Group nobody on these systems!
#
User nobody
Group nobody

# 3  
Old 10-23-2003
Hi I have my apache running as www-data - except for 1 parent process that starts off as root - This is accepted as ports < 1024 need to have root to be accessed. I have my apache binaries owned by root though.

Apache is run as apache:apache

But to start apache I have to be root!? How can I resolve this? By changing ownership of the apache binaries - /usr/local/apache?

My apache runs like this:
root 31522 1 0 Oct19 ? 00:00:00 /usr/sbin/apache-ssl
root 27112 1 0 Oct22 ? 00:00:00 /usr/sbin/apache
www-data 30906 27112 0 06:25 ? 00:00:00 /usr/sbin/apache
www-data 30907 27112 0 06:25 ? 00:00:00 /usr/sbin/apache
www-data 30908 27112 0 06:25 ? 00:00:00 /usr/sbin/apache
www-data 30909 27112 0 06:25 ? 00:00:00 /usr/sbin/apache
www-data 30910 27112 0 06:25 ? 00:00:00 /usr/sbin/apache
www-data 30911 31522 0 06:25 ? 00:00:00 /usr/sbin/apache-ssl
www-data 30912 31522 0 06:25 ? 00:00:00 /usr/sbin/apache-ssl
www-data 30913 31522 0 06:25 ? 00:00:00 /usr/sbin/apache-ssl
www-data 30914 31522 0 06:25 ? 00:00:00 /usr/sbin/apache-ssl
www-data 30915 31522 0 06:25 ? 00:00:00 /usr/sbin/apache-ssl
www-data 31455 27112 0 07:44 ? 00:00:00 /usr/sbin/apache
www-data 32696 27112 0 11:37 ? 00:00:00 /usr/sbin/apache
www-data 32698 27112 0 11:37 ? 00:00:00 /usr/sbin/apache

But I can only start this as root not as any other user - even www-data.

Any ideas?

Thanks

KS
# 4  
Old 10-24-2003
apache can run as a differnt user.

but if you are starting apache on a port lower then 1024 its parent process must start as root.

i did a quick search on google and this is what i game up with.
keywords "running apache as a non root user"

http://forums.devshed.com/archive/15/2001/10/4/24329

your question is asked. and answered.

Code:
Q:Banesh
I am unable to start or stop apache as a different user other than root. I could able to do it when I login as root but when I login as a different user I can't able to start still I am not getting any error message. The httpd.conf file is having the following specification User nobody Group banesh When I login as banesh i should able to start and stop the apache web server. I have made necessary changes in permission for various directories and files. Actually the owner of apache is Banesh now. what I observe is the parent process for httpd is not starting when I logged in as banesh.


A:freebsd
Practically you can't. Technically, you can install Apache under /home/banesh then that's possible.

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Command to get exact tomcat process I am running ignoring other java process

Team, I have multiple batchjobs running in VM, if I do ps -ef |grep java or tomcat I am getting multiple process list. How do I get my exact tomcat process running and that is unique? via shell script? (4 Replies)
Discussion started by: Ghanshyam Ratho
4 Replies

2. Shell Programming and Scripting

Monitoring processes in parallel and process log file after process exits

I am writing a script to kick off a process to gather logs on multiple nodes in parallel using "&". These processes create individual log files. Which I would like to filter and convert in CSV format after they are complete. I am facing following issues: 1. Monitor all Processes parallelly.... (5 Replies)
Discussion started by: shunya
5 Replies

3. UNIX for Advanced & Expert Users

Process remians in Running state causing other similar process to sleep and results to system hang

Hi Experts, I am facing one problem here which is one process always stuck in running state which causes the other similar process to sleep state . This causes my system in hanged state. On doing cat /proc/<pid>wchan showing the "__init_begin" in the output. Can you please help me here... (1 Reply)
Discussion started by: naveeng
1 Replies

4. BSD

Process remians in Running state causing other similar process to sleep and results to system hang

Hi Experts, I am facing one problem here which is one process always stuck in running state which causes the other similar process to sleep state . This causes my system in hanged state. On doing cat /proc/<pid>wchan showing the "__init_begin" in the output. Can you please help me here... (0 Replies)
Discussion started by: naveeng
0 Replies

5. Shell Programming and Scripting

ksh; Change file permissions, update file, change permissions back?

Hi, I am creating a ksh script to search for a string of text inside files within a directory tree. Some of these file are going to be read/execute only. I know to use chmod to change the permissions of the file, but I want to preserve the original permissions after writing to the file. How can I... (3 Replies)
Discussion started by: right_coaster
3 Replies

6. UNIX for Advanced & Expert Users

Help on sudo permissions to kill others process

I have to setup a sudo permission for a userA, so he can su to become userB and be able to do ONLY kill -9 on userB owned processes. (2 Replies)
Discussion started by: rizsyd
2 Replies

7. Shell Programming and Scripting

script to monitor the process system when a process from user takes longer than 15 min run.

get email notification from from system when a process from XXXX user takes longer than 15 min run.Let me know the time estimation for the same. hi ,any one please tell me , how to write a script to get email notification from system when a process from as mentioned above a xxxx user takes... (1 Reply)
Discussion started by: kirankrishna3
1 Replies

8. Shell Programming and Scripting

Shell Script to Kill Process(number of process) Unix/Solaris

Hi Experts, we do have a shell script for Unix Solaris, which will kill all the process manullay, it used to work in my previous env, but now it is throwing this error.. could some one please help me to resolve it This is how we execute the script (and this is the requirement) ... (2 Replies)
Discussion started by: jonnyvic
2 Replies

9. Shell Programming and Scripting

script to monitor process running on server and posting a mail if any process is dead

Hello all, I would be happy if any one could help me with a shell script that would determine all the processes running on a Unix server and post a mail if any of the process is not running or aborted. Thanks in advance Regards, pradeep kulkarni. :mad: (13 Replies)
Discussion started by: pradeepmacha
13 Replies

10. HP-UX

To give the "unzip" permissions & "create" file permissions

Hi, I am a Unix Admin. I have to give the permissions to a user for creating new file in a directory in HP-Ux 11.11 system since he cannot able to create a new file in the directory. Thanks in advance. Mike (3 Replies)
Discussion started by: Mike1234
3 Replies
Login or Register to Ask a Question