PDA

View Full Version : Excessive 'root' Ownership of Tomcat Files



philg
02-13-2008, 04:29 PM
I'm not sure if this is the best place to voice this, but...

The Westhost install of Tomcat is “locked down”, with root-owned files, to the extent that it's almost unusable. It appears that up until now, Westhost customers have not tried to use Tomcat to host a Java web application of any significance. I am currently trying to host an instance of Liferay (www.liferay.com) and am blocked by at least one issue of 'root' ownership.

I would like to make the case for unlocking some of the Tomcat files such that customers of Westhost can use Tomcat as intended.

Below are descriptions of the “root” issues I've been able to identify so far (there may be others)...

1) We can't remove “out of the box” Tomcat applications from /var/tomcat5/webapps:
balancer, jsp-examples, servlets-examples, tomcat-docs, webdav
I can't imagine why Westhost should require us to have these “out of the box” example and utility applications deployed along with our production applications.

2) We can't add a library to Tomcats “common” classloader.
This is a requirement for web applications that define a DataSource. The JDBC driver for MySQL (or whatever database you're using) must be placed on the “common” classloader so that Tomcat classes can find it when it tries to create the DataSource.

The Westhost Tomcat install only allows us to put libraries in the Shared classloader. However, as the fragment below from Tomcat docs indicates, classes that need to be seen by Tomcat internal classes (like JDBC drivers) need to be in the Common classloader...

“Shared - This class loader is the place to put classes and resources that you wish to share across ALL web applications (unless Tomcat internal classes also need access, in which case you should put them in the Common class loader instead). “

For more information on Tomcat classloaders, see:
http://tomcat.apache.org/tomcat-4.1-doc/class-loader-howto.html

3) We can't adjust Tomcat logging
It is very likely that customers may need to use Tomcat logging to diagnose issues. In order to do so, we need write access to conf/logging.properties.

4) Performance Tuning
At some point, I expect to want to tune the Tomcat install to maximize performance. I'm not sure what files will be required for this, but we may need to modify conf/catalina.properties and others. For info on Tomcat tuning, here's an article:
http://www.devx.com/Java/Article/32730

5) Security Adjustments
On a production application, I would probably want to disable the “manager” features accessible through the browser. I'm not that familiar with this yet, but we may need to delete conf/Catalina/localhost/tomcat-manager.xml

To summarize, we need read/write access to the following files/directories:

webapps/* – ability to delete ALL web applications
common/lib – ability to add JAR files
conf/logging.properties – write access
conf/catalina.properties - may be needed for performance tuning. not sure.
conf/Catalina/localhost/tomcat-manager.xml – might need to delete this


Phil

wildjokerdesign
02-13-2008, 05:09 PM
You might want to send your findings and suggestions to West Host via the Contact Page. This creates a support ticket that both you and West Host can follow. It is also more likely to get the information passed on to the right person in charge of such things. While employees of West Host often do visit the forum I don't believe it is a required part of their jobs aside from the administrator of the forum.

philg
02-13-2008, 07:06 PM
Thanks Shawn!
I'll try that.

Phil

philg
02-16-2008, 01:35 PM
For others who might be running into this problem...

I've submitted a ticket (Ticket Id: 2541500) and the support guys granted the permissions I needed. I also provided them a description of files/directories that should be writable. They will reportedly review and update the Tomcat install scripts accordingly.

Phil