The Network Administrator

Tomcat running as root could be a huge security hole. Linux only allows root to listen to port 80 and 443…which is why many users of tomcat under Linux run tomcat as root. However, with jscv, the process will start off as root but later on will change ownership to the user tomcat or whatever username you wish.

After doing a few google searches I quickly found bits and pieces to do with configuring Tomcat 6 as a non-root user. So I thought I would try and put together a list of what I did to get this up and running.

1. Download and Install the Linux distro of your choice. I installed Tomcat6 on Fedora 8 Core. After you have Lunix installed its good practice to make sure you have all OS updates applied.

2. Create the user to run tomcat under with useradd tomcat. Issuing this command will create a directory under
/home/tomcat.

3. Download and install Java. Visit http://java.sun.com/products/archive/j2se/6u2/index.html. Select JDK 6,

4. After the download is complete, issue this command to make the file executable chmod 755 jdk-6u2(Version number).

5. Then run the install by issuing ./jdk(version number)

6. Updatedb;locate javac |grep bin

7. Now you need to run the alternatives command to instruct Fedora to recognize Sun’s JVM.

alternatives –install /usr/bin/java java /usr/java/jdk1.6.0_02/bin/java 100
alternatives –install /usr/bin/jar jar /usr/java/jdk1.6.0_02/bin/jar 100
alternatives –install /usr/bin/javac javac /usr/java/jdk1.6.0_02/bin/javac 100
/usr/sbin/alternatives –config java

Select option 1

Type java -version

you should see something like this:
java version “1.6.0_02″
Java(TM) SE Runtime Environment (build 1.6.0_02-ea-b02)
Java HotSpot(TM) Client VM (build 1.6.0_02-ea-b02, mixed mode, sharing)

export JAVA_HOME=/usr/java/jdk1.6.0_02/bin

8. yum Install gcc

9. Download tomcat 6 here http://tomcat.apache.org/download-60.cgi to /home/tomcat. Then Extract the tar file using tar xvzf tomcat6filename.gz to /home/tomcat

10. chown tomcat.tomcat /home/tomcat -R

11. Compile the jscv code by following the instructions here http://tomcat.apache.org/tomcat-6.0-doc/setup.html. You may have to issue
export JAVA_HOME=/usr/java/jdk1.6.0_02/bin before you run the ./configure and the make.

12. Create your start and stop script. Navigate to /etc/init.d create a new file by issuing touch tomcat, make the file executable by issuing chmod 755 tomcat.

13. Next issue vim tomcat and copy and paste the config below. You might have to change some of the setting to fit your server.

# Tomcat auto-start
#
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/tomcat.pid

#export JAVA_HOME=/usr/java/jdk1.6.0_02

#case $1 in
#start)
# sh /usr/local/tomcat/bin/startup.sh
# ;;
#stop)
# sh /usr/local/tomcat/bin/shutdown.sh
# ;;
#restart)
# sh /usr/local/tomcat/bin/shutdown.sh
# sh /usr/local/tomcat/bin/startup.sh
# ;;
#esac
#exit 0
#!/bin/sh
#
# Startup script for Tomcat, the Apache Servlet Engine
#
# chkconfig: 345 80 20
# description: Tomcat is the Apache Servlet Engine
# processname: tomcat
# pidfile: /var/run/tomcat.pid

TOMCAT_PROG=tomcat
JAVA_HOME=’/usr/java/jdk1.6.0_02′
CATALINA_HOME=’/usr/local/tomcat/’
DAEMON_HOME=$CATALINA_HOME/bin/jsvc
TMP_DIR=/var/tmp
CATALINA_OPTS=
CLASSPATH=\
$JAVA_HOME/lib/tools.jar:\
$CATALINA_HOME/bin/commons-daemon.jar:\
$CATALINA_HOME/bin/bootstrap.jar

# if TOMCAT_USER is not set, use tomcat like Apache HTTP server
if [ -z "$TOMCAT_USER" ]; then
TOMCAT_USER=”tomcat”
fi

RETVAL=0

# start and stop functions
start() {
echo -n “Starting tomcat: ”
chown -R $TOMCAT_USER:$TOMCAT_USER /usr/local/tomcat/*
$DAEMON_HOME \
-user $TOMCAT_USER \
-home $JAVA_HOME \
-Dcatalina.home=$CATALINA_HOME \
-Djava.io.tmpdir=$TMP_DIR \
-Djava.awt.headless=true \
-outfile $CATALINA_HOME/logs/catalina.out \
-errfile ‘&1′ \
$CATALINA_OPTS \
-cp $CLASSPATH \
org.apache.catalina.startup.Bootstrap
# To get a verbose JVM
#-verbose \
# To get a debug of jsvc.
#-debug \

RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/tomcat
return $RETVAL
}

stop() {
echo -n “Stopping tomcat: ”
PID=`cat /var/run/jsvc.pid`
kill $PID
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/tomcat /var/run/tomcat.pid
}

# See how we were called.
case “$1″ in
start)
start
;;
stop)
stop
;;
restart)
stop

sleep 5
start
;;
*)
echo “Usage: $0 {start|stop|restart}”
exit 1
esac

exit $RETVAL

14. Next to make tomcat start at boot issue #chkconfig –add tomcat and #chkconfig tomcat on 15. You can stop or start tomcat with service tomcat stop or start If you have any qustions just send me an email and ill do my best to get back to you.

15. You can stop or start tomcat with service tomcat stop or start

If you have any qustions just send me an email and ill do my best to get back to you.