Hi, The tomcat server, as provided in current ebuilds, starts using a shellscript. Leaving you with tomcat and all JVM childprocesses running as user root - a potential security risk in many ways and absolutely not suited for productive use! (besides others also think of the fact that files deployed in a webapps directory are automatically chown'ed to the user tomcat is running as...) So instead it should definitely run as an unprivileged user ("tomcat" or "tomcat4") by default. This is also the way all other distros I know of, do it. In detail it should use an initscript similar to the one provided by the official Tomcat RPMS from the jakarta homepage, su'ing to an unprivileged user before starting tomcat. To do this one would, more or less, simply have to "port" existing official initscript which can be easily extracted from the source RPMs to gentoo-style initscripts: http://jakarta.apache.org/builds/jakarta-tomcat- 4.0/release/v4.0.4/rpms/tomcat4-4.0.4-le.2jpp.src.rpm (probably an older version, but I didn't manage to find the script in the Tomcat CVS...). Unfortuantely only RPMs and SRPMs and not source or binary tar archives from the jakarta homepage seem to contain the initscripts - that's probably the reason why the ebuild doesn't either... ;( FYI: I've also already posted to the forums regarding this issue almost two months ago: http://forums.gentoo.org/viewtopic.php?t=9029&highlight=tomcat And well, when I'm already about to write a feature request: While I finally managed to finally get it working by compiling from CVS, a package for the mod_webapp module (Tomcat integration into Apache, http://jakarta.apache.org/builds/jakarta-tomcat-connectors/webapp/) would really rock... ;) Thanx a lot. Gentoo is great! :)
I don't have time to follow the forums closely. The current tomcat is provided sort of as a stop-gap measure until we get the time to start compiling it from sources and properly configuring it to work with the other jakarta projects, and jboss and all the other goodies. This bug will not be fixed before 1.4 is released, as it requires a new user, and our user table is undergoing a revision.
Hello, FYI find attached a tomcat startup-script, extracted from a current tomcat-src-rpm (version 4.1.12 should IMHO also work for all 4.x releases). If you are all maxed out with other things to do, maybe I will have a bit of free time during my holiday at the end of the month and I'll give it at try rewriting this to gentoo-syntax (should not be tooo difficult I suppose). Or is this one really still on the ToDo List for 1.4? There's already a feature freeze for some days, isn't it? At least all ebuilds and updates I have submitted during the last 1-2 weeks or so are scheduled to be added "later"... ;) Regards, Daniel Seyffer
Created attachment 4835 [details] Sample Init script (from the src-rpm) - still RedHat style... A templated which might usefull when creating a gentoo init-script...
You said you were working on a "from source" built of tomcat. Can you address this issue as well, then ? You may assume there's a user called tomcat, and a group called tomcat, if you need it.
Created attachment 9646 [details] The init script I use This is the init script I use, it works well...
This issue has been resolved in tomcat-4.1.24.ebuild. No longer runs as root, instead as uid/gid 'tomcat' (265/265). The build-from-source issue will be approached after 4.1.24 is moved to stable... there have been enough changes that need to be tested for correctness first before it is made to build from source.
Nice to see that this has been fixed. And it also sounds really nice what is happening regarding connectors, startupscripts etc. (#18352). Thanks a lot everyone... ;-)