Run jetty as non-root user?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Run jetty as non-root user?

Steve Sobol
Are there any pitfalls involved in running jetty as someone other than root,
  e.g. as the same user used by my Apache installation?

--
Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: [hidden email] Snail: 22674 Motnocab Road, Apple Valley, CA 92307



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Run jetty as non-root user?

Chris Haynes
I've been running Jetty under non-root under SuSE Linux for several years with
no problems. Indeed, it is recommended practice to always run Jetty as non-root,
just in case someone finds a vulnerability.

Make sure your way of launching is non-root  before the Jetty threads starts.
Some people on this list had problems about three years ago because they tried
to change the main thread ownership after launch (this was in the days when
there was a complex script to launch Jetty). They then noticed that other
threads, which has already been started, were still running as root.

Obliviously, make sure that all your directory/file permissions are set
appropriately for the new user - including log destinations.

I use a script in my OS boot process which starts Jetty under my chosen user,
and keeps it alive by re-starting it should it stop unintentionally.

Chris Haynes



 "Steve Sobol" asked:

> Are there any pitfalls involved in running jetty as someone other than root,
> e.g. as the same user used by my Apache installation?





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Run jetty as non-root user?

Steve Sobol
Chris Haynes wrote:
> I've been running Jetty under non-root under SuSE Linux for several
> years with no problems. Indeed, it is recommended practice to always run
> Jetty as non-root, just in case someone finds a vulnerability.

I'm wondering if

su -m -c $RUN_CMD blah blah blah blah

would work.

--
Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: [hidden email] Snail: 22674 Motnocab Road, Apple Valley, CA 92307



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Run jetty as non-root user?

Chris Haynes
I have in a file in   \etc\init.d  a script which includes the key lines:

  if [ $(whoami) = $ADMIN_USER ];
  then   $ADMIN_BIN/services start
  else su -c "$ADMIN_BIN/services start" $ADMIN_USER
  fi

This calls another script which starts several services.

The script is called at start-up, but can also be called by $ADMIN_USER  from a
console - hence the test of 'whoami'.

I don't have any interesting environment variables at this stage, so don't
need -m

HTH

Chris Haynes


 "Steve Sobol" wondered:

> Chris Haynes wrote:
>> I've been running Jetty under non-root under SuSE Linux for several years
>> with no problems. Indeed, it is recommended practice to always run Jetty as
>> non-root, just in case someone finds a vulnerability.
>
> I'm wondering if
>
> su -m -c $RUN_CMD blah blah blah blah
>
> would work.
>





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support