Difference between revisions of "Running the Platform as a Non-Root User"
imported>Aeric (Created page with "For any installation that is public-facing, it's a good idea to make the service run as a non-root user. That way, if services are comprised, they will be more limited than if th…") |
imported>Aeric |
||
(35 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
<includeonly>===Running the Platform as a Non-Root User===</includeonly> | |||
As a good security practice, it is recommended that the platform and the various software components that it required by the platform are run as a users other than <tt>root</tt>. This section explains about running the platform as a non-root user. For information on creating a non-root MySQL user in Unix Common Tomcat Platform installations, see [[Creating a non-root MySQL User to Run Agile Apps]]. | |||
{{Important|The installer needs ''the same privileges as the root user'', without actually ''being'' the root.}} | |||
====memcached==== | |||
memcached accepts the command line argument <tt>–u {username}</tt>. With that argument, memcached assumes the identity of the specified user when running, after being launched by the <tt>root</tt> user. It is recommended that this username is set to <tt>nobody</tt> in the memcached startup command. For example: | |||
:<syntaxhighlight lang="java" enclose="div"> | :<syntaxhighlight lang="java" enclose="div"> | ||
/usr/local/bin/memcached -m 250 -p 11211 -d -u nobody | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Here, memcached is configured to run as a daemon using 250MB of cache, listening on port 11211, and running as the user <tt>nobody</tt>. | |||
====MySQL==== | |||
A typical mysql installation has the mysql server running as the user <tt>mysql</tt>. You can verify that setting using the <tt>ps</tt> command: | |||
:<syntaxhighlight lang="java" enclose="div"> | :<syntaxhighlight lang="java" enclose="div"> | ||
groupadd tomcat | ps auxwww | grep mysql | ||
useradd | </syntaxhighlight> | ||
====Apache httpd server==== | |||
Set the User and Group directives in <tt>httpd.conf</tt> to values other than <tt>root</tt>. | |||
For example: | |||
# Create a group called <tt>apache</tt> and add the user <tt>apache</tt> to that group. | |||
# Set the values for User and Group in <tt>httpd.conf</tt> to <tt>apache</tt> | |||
====Platform==== | |||
The {{EnterpriseBrand}} is based on Apache Tomcat. It can be run as a standalone AppServer or deployed behind the Apache <tt>httpd</tt> server. When run as a standalone server, the platform listens to ports 80 and 443 for <tt>http</tt> requests. To be run as a non-root user, the platform must be deployed behind Apache, and must be listening on ports > 1023 (since only the root user can bind to low-numbered ports). | |||
:''Learn more:'' [[Installing and Configuring Apache for Use with the Platform]] | |||
When installing the {{EnterpriseBrand}}: | |||
:1. Login as the user <tt>tomcat</tt> instead of user <tt>root</tt>. | |||
: That way, the ownership and permissions for the installation folders are set up properly. | |||
After configuring the platform and Apache to work together: | |||
:2. Create the group <tt>tomcat</tt> and add the user <tt>tomcat</tt> to it: | |||
::<syntaxhighlight lang="java" enclose="div"> | |||
/usr/sbin/groupadd tomcat | |||
/usr/sbin/useradd -g tomcat -d /home/tomcat tomcat | |||
</syntaxhighlight> | |||
:3. Change the password for the user <tt>tomcat</tt>: | |||
::<syntaxhighlight lang="java" enclose="div"> | |||
passwd tomcat | passwd tomcat | ||
</syntaxhighlight> | </syntaxhighlight> | ||
:4. Change the ownership in the folder where the platform is installed to the user <tt>tomcat</tt>. | |||
: For example, if the installation folder is <tt>/opt/softwareag/agileapps</tt>: | |||
::<syntaxhighlight lang="java" enclose="div"> | |||
chown -R tomcat:tomcat /opt/softwareag/agileapps | |||
</syntaxhighlight> | |||
:5. Restrict permission on the configuration folder to the user <tt>tomcat</tt>: | |||
::<syntaxhighlight lang="java" enclose="div"> | |||
chmod -R 700 {agileapps}/tomcat/conf | |||
</syntaxhighlight> | |||
:6. Ensure that the user <tt>tomcat</tt> has sufficient permissions on the Temp Directory | |||
<blockquote><ol type="a"> | |||
<li>If the Temp directory configured in the Service Provider Settings is <tt>/tmp</tt> (the default), ensure that everyone has read and write permissions on that folder: | |||
:<syntaxhighlight lang="java" enclose="div"> | |||
chmod –R 777 /tmp | |||
</syntaxhighlight></li> | |||
<li> If upgrading an installation in which the Temp Directory configured in the Service Provider Settings is not <tt>/tmp</tt>, and is used exclusively by the platform, change the ownership of the folder to the user <tt>tomcat</tt>. For example, if the location is <tt>/var/platform_tmp</tt>: | |||
:<syntaxhighlight lang="java" enclose="div"> | |||
chown -R tomcat:tomcat /var/platform_temp | |||
</syntaxhighlight> | |||
</li></ol> | |||
</blockquote> | |||
:7.Make it possible for the non-root user to run the startup command</tt> | |||
: to become user <tt>tomcat</tt> before starting the platform. | |||
: To do that, change this line: | |||
::<syntaxhighlight lang="java" enclose="div"> | |||
{install-dir}/profiles/IS_default/bin/startup.sh | |||
</syntaxhighlight> | |||
: to | |||
::<syntaxhighlight lang="java" enclose="div"> | |||
sudo {install-dir}/profiles/IS_default/bin/startup.sh | |||
</syntaxhighlight> | |||
<noinclude> | |||
[[Category:Installation]] | |||
</noinclude> |
Latest revision as of 11:55, 16 October 2019
As a good security practice, it is recommended that the platform and the various software components that it required by the platform are run as a users other than root. This section explains about running the platform as a non-root user. For information on creating a non-root MySQL user in Unix Common Tomcat Platform installations, see Creating a non-root MySQL User to Run Agile Apps.
memcached
memcached accepts the command line argument –u {username}. With that argument, memcached assumes the identity of the specified user when running, after being launched by the root user. It is recommended that this username is set to nobody in the memcached startup command. For example:
/usr/local/bin/memcached -m 250 -p 11211 -d -u nobody
Here, memcached is configured to run as a daemon using 250MB of cache, listening on port 11211, and running as the user nobody.
MySQL
A typical mysql installation has the mysql server running as the user mysql. You can verify that setting using the ps command:
ps auxwww | grep mysql
Apache httpd server
Set the User and Group directives in httpd.conf to values other than root.
For example:
- Create a group called apache and add the user apache to that group.
- Set the values for User and Group in httpd.conf to apache
Platform
The AgileApps Cloud platform is based on Apache Tomcat. It can be run as a standalone AppServer or deployed behind the Apache httpd server. When run as a standalone server, the platform listens to ports 80 and 443 for http requests. To be run as a non-root user, the platform must be deployed behind Apache, and must be listening on ports > 1023 (since only the root user can bind to low-numbered ports).
When installing the AgileApps Cloud platform:
- 1. Login as the user tomcat instead of user root.
- That way, the ownership and permissions for the installation folders are set up properly.
After configuring the platform and Apache to work together:
- 2. Create the group tomcat and add the user tomcat to it:
/usr/sbin/groupadd tomcat /usr/sbin/useradd -g tomcat -d /home/tomcat tomcat
- 3. Change the password for the user tomcat:
passwd tomcat
- 4. Change the ownership in the folder where the platform is installed to the user tomcat.
- For example, if the installation folder is /opt/softwareag/agileapps:
chown -R tomcat:tomcat /opt/softwareag/agileapps
- 5. Restrict permission on the configuration folder to the user tomcat:
chmod -R 700 {agileapps}/tomcat/conf
- 6. Ensure that the user tomcat has sufficient permissions on the Temp Directory
- If the Temp directory configured in the Service Provider Settings is /tmp (the default), ensure that everyone has read and write permissions on that folder:
chmod –R 777 /tmp- If upgrading an installation in which the Temp Directory configured in the Service Provider Settings is not /tmp, and is used exclusively by the platform, change the ownership of the folder to the user tomcat. For example, if the location is /var/platform_tmp:
chown -R tomcat:tomcat /var/platform_temp
- 7.Make it possible for the non-root user to run the startup command
- to become user tomcat before starting the platform.
- To do that, change this line:
{install-dir}/profiles/IS_default/bin/startup.sh
- to
sudo {install-dir}/profiles/IS_default/bin/startup.sh