Difference between revisions of "HowTos/Tomcat"
m (→Running Tomcat as a non-root user) |
(→Running Tomcat as a non-root user) |
||
| Line 11: | Line 11: | ||
2. Setup a '''/etc/sudoers''' file that has the following line (''Note'': This must be on a '''single''' line in the file): | 2. Setup a '''/etc/sudoers''' file that has the following line (''Note'': This must be on a '''single''' line in the file): | ||
| − | <user> <hostname> NOPASSWD: /opt/scalix/bin/*,/opt/scalix/diag/*, | + | <user> <hostname> = NOPASSWD : /opt/scalix/bin/*, /opt/scalix/diag/* , /bin/rpm, /usr/bin/dpkg, /bin/tail, /bin/df |
| − | + | ||
where '''<user>''' is the name of the Unix user under which tomcat runs and '''<hostname>''' is your Scalix server hostname. | where '''<user>''' is the name of the Unix user under which tomcat runs and '''<hostname>''' is your Scalix server hostname. | ||
| Line 19: | Line 18: | ||
''Note:'' As of Scalix 10.0.1, the sample entry in the config file is wrong; this reads ''res.commands.sudo.mode=true'' and is incorrect. The correct entry is as per above. | ''Note:'' As of Scalix 10.0.1, the sample entry in the config file is wrong; this reads ''res.commands.sudo.mode=true'' and is incorrect. The correct entry is as per above. | ||
| − | 4. Restart Tomcat | + | 4. Create a scalix-user that is linked to the tomcat user account and has admin rights... |
| + | The critical thing is the -u tomcat - this links your unix-user to the account. Execute: | ||
| + | omaddu -n "scalix-tomcat/<mailnode>" -p <any_password> -c admin -u tomcat scalix-tomcat -x | ||
| + | |||
| + | 5. Restart Tomcat | ||
All access to Scalix commands will be logged by sudo through syslog. | All access to Scalix commands will be logged by sudo through syslog. | ||
Revision as of 18:10, 10 April 2006
Running Tomcat as a non-root user
For security reasons, it is preferrable to run Tomcat as a non-root user. In fact, most tomcat packages that come with OS distributions do it this way.
For Scalix this poses a few problems because the RES web application (which is part of the Scalix Admin Console system) needs to execute Scalix admin commands ("om-commands"), some of which must be executed with superuser/root privileges.
Scalix 10.0.0 and later therefore allow the use of sudo to limit root access to the commands in question.
Follow these steps:
1. On each machine running RES, install the sudo package that comes with your Linux distribution of choice.
2. Setup a /etc/sudoers file that has the following line (Note: This must be on a single line in the file):
<user> <hostname> = NOPASSWD : /opt/scalix/bin/*, /opt/scalix/diag/* , /bin/rpm, /usr/bin/dpkg, /bin/tail, /bin/df
where <user> is the name of the Unix user under which tomcat runs and <hostname> is your Scalix server hostname.
3. Add the following parameter to /etc/opt/scalix/res/config/res.properties:
res.sudo.command.mode=true
Note: As of Scalix 10.0.1, the sample entry in the config file is wrong; this reads res.commands.sudo.mode=true and is incorrect. The correct entry is as per above.
4. Create a scalix-user that is linked to the tomcat user account and has admin rights... The critical thing is the -u tomcat - this links your unix-user to the account. Execute:
omaddu -n "scalix-tomcat/<mailnode>" -p <any_password> -c admin -u tomcat scalix-tomcat -x
5. Restart Tomcat
All access to Scalix commands will be logged by sudo through syslog.
