How to run tomcat6 on ubuntu as root?
I've got an existing software package that runs on Ubuntu that uses a chroot jail and so needs to be run as root. I want to exec this from a java web application running within Tomcat6 on Ubuntu, so presumably I have to run Tomcat6 as root instead of the Tomcat6 user.
How do I go about changing tomcat6 to run as root instead of the tomcat6 user?
Solution 1:
I am guessing this is related to an earlier question?
Ubuntu - can non-root user run process in chroot jail?
To run Tomcat as root...*
Assuming you have installed the tomcat6 package from the Ubuntu repository edit the /etc/init.d/tomcat6 file and change the line:
TOMCAT6_USER=tomcat6
to read
TOMCAT6_USER=root
That being said...
Running Tomcat as root is not recommended in environments where it is accessible to untrusted clients (e.g. the Internet). The problem is if Tomcat or one of your web applications running within it are exploited in some manner they have full access to the underlying system. e.g. They can modify files, execute processes, etc.
Granted the chances of this are slim, but it is better to plan for the worst and hope for the best.
A more secure approach is to continue running Tomcat as the default tomcat6 user and have that call the external, chrooted process in a more isolated manner. How you do this depends on the process that is being called and what needs to occur.
If you post information on the process being called, what it is doing and why others will be able to help you identify the best way of achieving this. For example you could setup a monitor that executes the chrooted task whenever the contents of a directory change, or a local web service that Tomcat can call to run the process.
Solution 2:
Couldn't you set the sticky bit of the software package executable? This would have it always run as the owner of the file, which would be root in this case.
Make the binary executable by all users (or at least, a group which includes tomcat6) and set the user sticky bit.
$sudo chmod +x binary
OR
$sudo chmod 750 binary //(with tomcat6 in the group of the file's group)
then
$sudo chmod u+s binary
That should do it, unless it doesn't. I don't have practical experience with chroot but in a standard setup this would work.
Also, could one add tomcat6 to the sudoers file, and allow it to run this one "binary" with no password verification?
Think about it.