← Back to team overview

dhis2-users team mailing list archive

Re: Fwd: Error when starting tomcat

 

Thanks Jason and Bob this was very helpful.

On Thu, Jul 28, 2016 at 1:01 PM, gerald thomas <gerald17006@xxxxxxxxx>
wrote:

> Noted!!!
> Collins can you correct as advice for security reasons.
>
> On Jul 28, 2016 9:57 AM, "Bob Jolliffe" <bobjolliffe@xxxxxxxxx> wrote:
>
>> The reason why it is a risk is that if the web application gets
>> compromised then it is possible that an attacker gets access to the
>> machine with the privileges of the user running tomcat.
>>
>> If you scan back through the lists you will remember there was just
>> such a problem in December 2013 where a vulnerability in the Struts
>> library caused a number of servers to be hacked.  The result was the
>> attacker was able to execute arbitrary code as the user running
>> tomcat.  So this is not an abstract thing - it has happened and
>> (despite eternal vigilance) it can happen again.
>>
>> So it is really important that the user running the tomcat service (or
>> any other for that matter) has constrained privileges which allow it
>> to do what it needs to do and nothing else.
>>
>> Having said that, running tomcat as root is distressingly common.  The
>> problem is that having done it once, the log files and any files which
>> tomcat writes are owned by root and so the only way people have to
>> restart the service is to do so as root.  I can't count the number of
>> servers I have seen doing this.
>>
>> The correct solution, as Jason points out, is to stop the service and
>> then recursively change the ownership of all files and directories
>> used by the instance to the user which has been created to run the
>> service.  Then startup again as that user.
>>
>> Note that (because this was such a common problem) the dhis2-startup
>> command used in dhis2-tools will refuse to run as root and ensures
>> that the instance is started under the correct user.
>>
>> On 28 July 2016 at 10:34, gerald thomas <gerald17006@xxxxxxxxx> wrote:
>> > Dear Jason,
>> > Bob always tell me it is a security risk but I was trying to figure out
>> > Collins issue. Thanks again for the information.
>> >
>> >
>> > On Jul 28, 2016 9:13 AM, "Jason Pickering" <jason.p.pickering@xxxxxxxxx
>> >
>> > wrote:
>> >>
>> >> Hi Collins and Gerald,
>> >>
>> >> You should not execute "sudo ./startup.sh" as this means your Tomcat
>> will
>> >> run as the root user, which is generally a very bad idea.
>> >>
>> >> From the error, it looks like the user which owns the Tomcat directory
>> >> does not actually have access to the logs. So you should "chown" all
>> of the
>> >> files to that user, and then start Tomcat up as a non-privileged user
>> with
>> >> something like "sudo -u dhis ./startup.sh".
>> >>
>> >> Regards,
>> >> Jason
>> >>
>> >>
>> >>
>> >>
>> >> On Thu, Jul 28, 2016 at 10:48 AM, gerald thomas <gerald17006@xxxxxxxxx
>> >
>> >> wrote:
>> >>>
>> >>> Dear Collins,
>> >>> Can you please use sudo ./startup.sh
>> >>> Please share your output
>> >>>
>> >>>
>> >>> On Jul 28, 2016 08:36, "Knut Staring" <knutst@xxxxxxxxx> wrote:
>> >>>>
>> >>>> Hi Collins,
>> >>>>
>> >>>> Please use this mailing list: "dhis2-users@xxxxxxxxxxxxxxxxxxx"
>> >>>>
>> >>>> It seems as though something has happened to the user you are using
>> to
>> >>>> run Tomcat. Make sure this Linux user has sufficient permissions.
>> >>>>
>> >>>> Knut
>> >>>>
>> >>>> ---------- Forwarded message ----------
>> >>>> From: Collins McAdoyo <collins.adoyo@xxxxxxxxx>
>> >>>> Date: Thu, Jul 28, 2016 at 2:55 PM
>> >>>> Subject: Error when starting tomcat
>> >>>> To: Knut Staring <knutst@xxxxxxxxx>
>> >>>>
>> >>>>
>> >>>> Hi Team,
>> >>>>
>> >>>> Hi Team, my dhis instance was running well but since today it has
>> >>>> started giving me errors as follows. Kindly any suggestions on how to
>> >>>> fix this?
>> >>>>
>> >>>> cxx@x:/tomcat-dhis/bin$ ./startup.sh
>> >>>> Using CATALINA_BASE:   /tomcat-dhis
>> >>>> Using CATALINA_HOME:   /usr/share/tomcat7
>> >>>> Using CATALINA_TMPDIR: /tomcat-dhis/temp
>> >>>> Using JRE_HOME:        /usr/lib/jvm/java-8-oracle/
>> >>>> Using CLASSPATH:
>> >>>> /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-
>> >>>> juli.jar
>> >>>> touch: cannot touch ‘/tomcat-dhis/logs/catalina.out’: Permission
>> denied
>> >>>> /usr/share/tomcat7/bin/catalina.sh: 385:
>> >>>> /usr/share/tomcat7/bin/catalina.sh: cannot create /tomcat-
>> >>>> dhis/logs/catalina.out: Permission denied
>> >>>> --
>> >>>> This message was sent from Launchpad by
>> >>>> Collins McAdoyo (https://launchpad.net/~mcadoyo)
>> >>>> using the "Contact this team's admins" link on the DHIS 2 Users team
>> >>>> page
>> >>>> (https://launchpad.net/~dhis2-users).
>> >>>> For more information see
>> >>>> https://help.launchpad.net/YourAccount/ContactingPeople
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Knut Staring
>> >>>> Dept. of Informatics, University of Oslo
>> >>>> Norway: +4791880522
>> >>>> Skype: knutstar
>> >>>> http://dhis2.org
>> >>>>
>> >>>> _______________________________________________
>> >>>> Mailing list: https://launchpad.net/~dhis2-users
>> >>>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> >>>> Unsubscribe : https://launchpad.net/~dhis2-users
>> >>>> More help   : https://help.launchpad.net/ListHelp
>> >>>>
>> >>>
>> >>> _______________________________________________
>> >>> Mailing list: https://launchpad.net/~dhis2-users
>> >>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> >>> Unsubscribe : https://launchpad.net/~dhis2-users
>> >>> More help   : https://help.launchpad.net/ListHelp
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Jason P. Pickering
>> >> email: jason.p.pickering@xxxxxxxxx
>> >> tel:+46764147049
>> >
>> >
>> > _______________________________________________
>> > Mailing list: https://launchpad.net/~dhis2-users
>> > Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> > Unsubscribe : https://launchpad.net/~dhis2-users
>> > More help   : https://help.launchpad.net/ListHelp
>> >
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>

References