dhis2-users team mailing list archive

Thread
Date

Re: Fwd: Error when starting tomcat

To: gerald thomas <gerald17006@xxxxxxxxx>
From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
Date: Thu, 28 Jul 2016 10:57:54 +0100
Cc: dhis2-users <dhis2-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CA+thV3S5J_H-fiM-kjE6ePXQziGMLRPNXGG7R8KDcpcgY1fO6A@mail.gmail.com>

The reason why it is a risk is that if the web application gets
compromised then it is possible that an attacker gets access to the
machine with the privileges of the user running tomcat.

If you scan back through the lists you will remember there was just
such a problem in December 2013 where a vulnerability in the Struts
library caused a number of servers to be hacked.  The result was the
attacker was able to execute arbitrary code as the user running
tomcat.  So this is not an abstract thing - it has happened and
(despite eternal vigilance) it can happen again.

So it is really important that the user running the tomcat service (or
any other for that matter) has constrained privileges which allow it
to do what it needs to do and nothing else.

Having said that, running tomcat as root is distressingly common.  The
problem is that having done it once, the log files and any files which
tomcat writes are owned by root and so the only way people have to
restart the service is to do so as root.  I can't count the number of
servers I have seen doing this.

The correct solution, as Jason points out, is to stop the service and
then recursively change the ownership of all files and directories
used by the instance to the user which has been created to run the
service.  Then startup again as that user.

Note that (because this was such a common problem) the dhis2-startup
command used in dhis2-tools will refuse to run as root and ensures
that the instance is started under the correct user.

On 28 July 2016 at 10:34, gerald thomas <gerald17006@xxxxxxxxx> wrote:
> Dear Jason,
> Bob always tell me it is a security risk but I was trying to figure out
> Collins issue. Thanks again for the information.
>
>
> On Jul 28, 2016 9:13 AM, "Jason Pickering" <jason.p.pickering@xxxxxxxxx>
> wrote:
>>
>> Hi Collins and Gerald,
>>
>> You should not execute "sudo ./startup.sh" as this means your Tomcat will
>> run as the root user, which is generally a very bad idea.
>>
>> From the error, it looks like the user which owns the Tomcat directory
>> does not actually have access to the logs. So you should "chown" all of the
>> files to that user, and then start Tomcat up as a non-privileged user with
>> something like "sudo -u dhis ./startup.sh".
>>
>> Regards,
>> Jason
>>
>>
>>
>>
>> On Thu, Jul 28, 2016 at 10:48 AM, gerald thomas <gerald17006@xxxxxxxxx>
>> wrote:
>>>
>>> Dear Collins,
>>> Can you please use sudo ./startup.sh
>>> Please share your output
>>>
>>>
>>> On Jul 28, 2016 08:36, "Knut Staring" <knutst@xxxxxxxxx> wrote:
>>>>
>>>> Hi Collins,
>>>>
>>>> Please use this mailing list: "dhis2-users@xxxxxxxxxxxxxxxxxxx"
>>>>
>>>> It seems as though something has happened to the user you are using to
>>>> run Tomcat. Make sure this Linux user has sufficient permissions.
>>>>
>>>> Knut
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Collins McAdoyo <collins.adoyo@xxxxxxxxx>
>>>> Date: Thu, Jul 28, 2016 at 2:55 PM
>>>> Subject: Error when starting tomcat
>>>> To: Knut Staring <knutst@xxxxxxxxx>
>>>>
>>>>
>>>> Hi Team,
>>>>
>>>> Hi Team, my dhis instance was running well but since today it has
>>>> started giving me errors as follows. Kindly any suggestions on how to
>>>> fix this?
>>>>
>>>> cxx@x:/tomcat-dhis/bin$ ./startup.sh
>>>> Using CATALINA_BASE:   /tomcat-dhis
>>>> Using CATALINA_HOME:   /usr/share/tomcat7
>>>> Using CATALINA_TMPDIR: /tomcat-dhis/temp
>>>> Using JRE_HOME:        /usr/lib/jvm/java-8-oracle/
>>>> Using CLASSPATH:
>>>> /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-
>>>> juli.jar
>>>> touch: cannot touch ‘/tomcat-dhis/logs/catalina.out’: Permission denied
>>>> /usr/share/tomcat7/bin/catalina.sh: 385:
>>>> /usr/share/tomcat7/bin/catalina.sh: cannot create /tomcat-
>>>> dhis/logs/catalina.out: Permission denied
>>>> --
>>>> This message was sent from Launchpad by
>>>> Collins McAdoyo (https://launchpad.net/~mcadoyo)
>>>> using the "Contact this team's admins" link on the DHIS 2 Users team
>>>> page
>>>> (https://launchpad.net/~dhis2-users).
>>>> For more information see
>>>> https://help.launchpad.net/YourAccount/ContactingPeople
>>>>
>>>>
>>>>
>>>> --
>>>> Knut Staring
>>>> Dept. of Informatics, University of Oslo
>>>> Norway: +4791880522
>>>> Skype: knutstar
>>>> http://dhis2.org
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~dhis2-users
>>>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~dhis2-users
>>>> More help   : https://help.launchpad.net/ListHelp
>>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-users
>>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-users
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>
>>
>>
>> --
>> Jason P. Pickering
>> email: jason.p.pickering@xxxxxxxxx
>> tel:+46764147049
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: Fwd: Error when starting tomcat
From: gerald thomas, 2016-07-28

References

Fwd: Error when starting tomcat
From: Knut Staring, 2016-07-28
Re: Fwd: Error when starting tomcat
From: gerald thomas, 2016-07-28
Re: Fwd: Error when starting tomcat
From: Jason Pickering, 2016-07-28
Re: Fwd: Error when starting tomcat
From: gerald thomas, 2016-07-28