The reason why it is a risk is that if the web application gets
compromised then it is possible that an attacker gets access to the
machine with the privileges of the user running tomcat.
If you scan back through the lists you will remember there was just
such a problem in December 2013 where a vulnerability in the Struts
library caused a number of servers to be hacked. The result was the
attacker was able to execute arbitrary code as the user running
tomcat. So this is not an abstract thing - it has happened and
(despite eternal vigilance) it can happen again.
So it is really important that the user running the tomcat service (or
any other for that matter) has constrained privileges which allow it
to do what it needs to do and nothing else.
Having said that, running tomcat as root is distressingly common. The
problem is that having done it once, the log files and any files which
tomcat writes are owned by root and so the only way people have to
restart the service is to do so as root. I can’t count the number of
servers I have seen doing this.
The correct solution, as Jason points out, is to stop the service and
then recursively change the ownership of all files and directories
used by the instance to the user which has been created to run the
service. Then startup again as that user.
Note that (because this was such a common problem) the dhis2-startup
command used in dhis2-tools will refuse to run as root and ensures
that the instance is started under the correct user.
On 28 July 2016 at 10:34, gerald thomas gerald17006@gmail.com wrote:
Dear Jason,
Bob always tell me it is a security risk but I was trying to figure out
Collins issue. Thanks again for the information.
On Jul 28, 2016 9:13 AM, “Jason Pickering” jason.p.pickering@gmail.com
wrote:
Hi Collins and Gerald,
You should not execute “sudo ./startup.sh” as this means your Tomcat will
run as the root user, which is generally a very bad idea.
From the error, it looks like the user which owns the Tomcat directory
does not actually have access to the logs. So you should “chown” all of the
files to that user, and then start Tomcat up as a non-privileged user with
something like “sudo -u dhis ./startup.sh”.
Regards,
Jason
On Thu, Jul 28, 2016 at 10:48 AM, gerald thomas gerald17006@gmail.com
wrote:
Dear Collins,
Can you please use sudo ./startup.sh
Please share your output
On Jul 28, 2016 08:36, “Knut Staring” knutst@gmail.com wrote:
Hi Collins,
Please use this mailing list: “dhis2-users@lists.launchpad.net”
It seems as though something has happened to the user you are using to
run Tomcat. Make sure this Linux user has sufficient permissions.
Knut
---------- Forwarded message ----------
From: Collins McAdoyo collins.adoyo@gmail.com
Date: Thu, Jul 28, 2016 at 2:55 PM
Subject: Error when starting tomcat
To: Knut Staring knutst@gmail.com
Hi Team,
Hi Team, my dhis instance was running well but since today it has
started giving me errors as follows. Kindly any suggestions on how to
fix this?
cxx@x:/tomcat-dhis/bin$ ./startup.sh
Using CATALINA_BASE: /tomcat-dhis
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /tomcat-dhis/temp
Using JRE_HOME: /usr/lib/jvm/java-8-oracle/
Using CLASSPATH:
/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-
juli.jar
touch: cannot touch ‘/tomcat-dhis/logs/catalina.out’: Permission denied
/usr/share/tomcat7/bin/catalina.sh: 385:
/usr/share/tomcat7/bin/catalina.sh: cannot create /tomcat-
dhis/logs/catalina.out: Permission denied
–
This message was sent from Launchpad by
Collins McAdoyo (https://launchpad.net/~mcadoyo)
using the “Contact this team’s admins” link on the DHIS 2 Users team
page
(https://launchpad.net/~dhis2-users).
For more information see
https://help.launchpad.net/YourAccount/ContactingPeople
–
Knut Staring
Dept. of Informatics, University of Oslo
Norway: +4791880522
Skype: knutstar
http://dhis2.org
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp
–
Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp