dhis2-users team mailing list archive

[gerald thomas <gerald17006@xxxxxxxxx>]

Noted!!!
Collins can you correct as advice for security reasons.

On Jul 28, 2016 9:57 AM, "Bob Jolliffe" <bobjolliffe@xxxxxxxxx> wrote:

> The reason why it is a risk is that if the web application gets
> compromised then it is possible that an attacker gets access to the
> machine with the privileges of the user running tomcat.
>
> If you scan back through the lists you will remember there was just
> such a problem in December 2013 where a vulnerability in the Struts
> library caused a number of servers to be hacked.  The result was the
> attacker was able to execute arbitrary code as the user running
> tomcat.  So this is not an abstract thing - it has happened and
> (despite eternal vigilance) it can happen again.
>
> So it is really important that the user running the tomcat service (or
> any other for that matter) has constrained privileges which allow it
> to do what it needs to do and nothing else.
>
> Having said that, running tomcat as root is distressingly common.  The
> problem is that having done it once, the log files and any files which
> tomcat writes are owned by root and so the only way people have to
> restart the service is to do so as root.  I can't count the number of
> servers I have seen doing this.
>
> The correct solution, as Jason points out, is to stop the service and
> then recursively change the ownership of all files and directories
> used by the instance to the user which has been created to run the
> service.  Then startup again as that user.
>
> Note that (because this was such a common problem) the dhis2-startup
> command used in dhis2-tools will refuse to run as root and ensures
> that the instance is started under the correct user.
>
> On 28 July 2016 at 10:34, gerald thomas <gerald17006@xxxxxxxxx> wrote:
> > Dear Jason,
> > Bob always tell me it is a security risk but I was trying to figure out
> > Collins issue. Thanks again for the information.
> >
> >
> > On Jul 28, 2016 9:13 AM, "Jason Pickering" <jason.p.pickering@xxxxxxxxx>
> > wrote:
> >>
> >> Hi Collins and Gerald,
> >>
> >> You should not execute "sudo ./startup.sh" as this means your Tomcat
> will
> >> run as the root user, which is generally a very bad idea.
> >>
> >> From the error, it looks like the user which owns the Tomcat directory
> >> does not actually have access to the logs. So you should "chown" all of
> the
> >> files to that user, and then start Tomcat up as a non-privileged user
> with
> >> something like "sudo -u dhis ./startup.sh".
> >>
> >> Regards,
> >> Jason
> >>
> >>
> >>
> >>
> >> On Thu, Jul 28, 2016 at 10:48 AM, gerald thomas <gerald17006@xxxxxxxxx>
> >> wrote:
> >>>
> >>> Dear Collins,
> >>> Can you please use sudo ./startup.sh
> >>> Please share your output
> >>>
> >>>
> >>> On Jul 28, 2016 08:36, "Knut Staring" <knutst@xxxxxxxxx> wrote:
> >>>>
> >>>> Hi Collins,
> >>>>
> >>>> Please use this mailing list: "dhis2-users@xxxxxxxxxxxxxxxxxxx"
> >>>>
> >>>> It seems as though something has happened to the user you are using to
> >>>> run Tomcat. Make sure this Linux user has sufficient permissions.
> >>>>
> >>>> Knut
> >>>>
> >>>> ---------- Forwarded message ----------
> >>>> From: Collins McAdoyo <collins.adoyo@xxxxxxxxx>
> >>>> Date: Thu, Jul 28, 2016 at 2:55 PM
> >>>> Subject: Error when starting tomcat
> >>>> To: Knut Staring <knutst@xxxxxxxxx>
> >>>>
> >>>>
> >>>> Hi Team,
> >>>>
> >>>> Hi Team, my dhis instance was running well but since today it has
> >>>> started giving me errors as follows. Kindly any suggestions on how to
> >>>> fix this?
> >>>>
> >>>> cxx@x:/tomcat-dhis/bin$ ./startup.sh
> >>>> Using CATALINA_BASE:   /tomcat-dhis
> >>>> Using CATALINA_HOME:   /usr/share/tomcat7
> >>>> Using CATALINA_TMPDIR: /tomcat-dhis/temp
> >>>> Using JRE_HOME:        /usr/lib/jvm/java-8-oracle/
> >>>> Using CLASSPATH:
> >>>> /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-
> >>>> juli.jar
> >>>> touch: cannot touch ‘/tomcat-dhis/logs/catalina.out’: Permission
> denied
> >>>> /usr/share/tomcat7/bin/catalina.sh: 385:
> >>>> /usr/share/tomcat7/bin/catalina.sh: cannot create /tomcat-
> >>>> dhis/logs/catalina.out: Permission denied
> >>>> --
> >>>> This message was sent from Launchpad by
> >>>> Collins McAdoyo (https://launchpad.net/~mcadoyo)
> >>>> using the "Contact this team's admins" link on the DHIS 2 Users team
> >>>> page
> >>>> (https://launchpad.net/~dhis2-users).
> >>>> For more information see
> >>>> https://help.launchpad.net/YourAccount/ContactingPeople
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Knut Staring
> >>>> Dept. of Informatics, University of Oslo
> >>>> Norway: +4791880522
> >>>> Skype: knutstar
> >>>> http://dhis2.org
> >>>>
> >>>> _______________________________________________
> >>>> Mailing list: https://launchpad.net/~dhis2-users
> >>>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> >>>> Unsubscribe : https://launchpad.net/~dhis2-users
> >>>> More help   : https://help.launchpad.net/ListHelp
> >>>>
> >>>
> >>> _______________________________________________
> >>> Mailing list: https://launchpad.net/~dhis2-users
> >>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> >>> Unsubscribe : https://launchpad.net/~dhis2-users
> >>> More help   : https://help.launchpad.net/ListHelp
> >>>
> >>
> >>
> >>
> >> --
> >> Jason P. Pickering
> >> email: jason.p.pickering@xxxxxxxxx
> >> tel:+46764147049
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~dhis2-users
> > Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~dhis2-users
> > More help   : https://help.launchpad.net/ListHelp
> >
>