I am currently running the Community and Enterprise editions (w/50 Enterprise licenses) for my home and company, respectively. I've set up Tomcat per Scalix's recommendations, and have incorporated the "tomcat" script from Scalix's admin resource kit into the /etc/inid.d directory. With this Tomcat setup, life's good (i.e, SAC and Webmail work as advertised). However, I did notice that the Tomcat service runs as "root" in RHEL4 and Fedora. A systems admin co-worker informed me that its not a good idea to run Tomcat as root due to security concerns. Does Scalix have an official position on this (i.e., is this a big deal or not)? Do I need to make modifications to get Tomcat to run under a "tomcat" or other user? Are there measures that I can take to help mitigate any security issues related to my current "root" Tomcat setup?
Thanks,
JK
Running Tomcat as ROOT in RHEL4 and Fedora Core 4
Moderators: ScalixSupport, admin
-
jpkovacic
- Posts: 40
- Joined: Thu Sep 08, 2005 1:00 pm
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
Hi JK,
While we understand your concerns here, we have not found this to be a problem for other sites. However we recognize that due to security policies some people are not comfortable running tomcat as root. So, with Scalix 10.0, you will be able to run tomcat as a non-root user, but that user will have to be in the sudoers file so that it can execute certain commands via sudo.
Thanks,
Rachel
While we understand your concerns here, we have not found this to be a problem for other sites. However we recognize that due to security policies some people are not comfortable running tomcat as root. So, with Scalix 10.0, you will be able to run tomcat as a non-root user, but that user will have to be in the sudoers file so that it can execute certain commands via sudo.
Thanks,
Rachel
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
Actually, your own initials - JK - even further ease the situation. :-)
You can already setup Tomcat to integrate with Apache using the mod_jk connector. In Scalix 10, this particular installation will be the default, for performance and security reasons. In that case, only apache will be listening on the network on port 80, running as non-root, and tomcat will only be accessed by Apache. This should make life easier from a security point of view; the sudo option Rachel mentioned could be added for those really concerned.
However, as the actual Scalix server is most often an intranet system, we also believe that the basic security the apache/jk/tomcat setup provides is good enough for most sites.
If you have any more concerns w/rgds to security, please let us know as the topic is really important to us.
Florian.
You can already setup Tomcat to integrate with Apache using the mod_jk connector. In Scalix 10, this particular installation will be the default, for performance and security reasons. In that case, only apache will be listening on the network on port 80, running as non-root, and tomcat will only be accessed by Apache. This should make life easier from a security point of view; the sudo option Rachel mentioned could be added for those really concerned.
However, as the actual Scalix server is most often an intranet system, we also believe that the basic security the apache/jk/tomcat setup provides is good enough for most sites.
If you have any more concerns w/rgds to security, please let us know as the topic is really important to us.
Florian.
Florian von Kurnatowski, Die Harder!
-
jpkovacic
- Posts: 40
- Joined: Thu Sep 08, 2005 1:00 pm
Florian,
Thanks very much for all your help Got MOD_JK working with Scalix 9.4.2. However, I received the notice for the Scalix 10 upgrade right after I got MOD_JK working. So I performed the Scalix 10 upgrade ...... and happily, everything still works OK (the Scalix 10 upgrade wizard did detect the existence of MOD_JK and upgraded it to the Scalix rendition).
-Joe K
Thanks very much for all your help Got MOD_JK working with Scalix 9.4.2. However, I received the notice for the Scalix 10 upgrade right after I got MOD_JK working. So I performed the Scalix 10 upgrade ...... and happily, everything still works OK (the Scalix 10 upgrade wizard did detect the existence of MOD_JK and upgraded it to the Scalix rendition).
-Joe K
Who is online
Users browsing this forum: No registered users and 4 guests