AgileApps Support Wiki

Difference between revisions of "Running the Platform as a Non-Root User"

From AgileApps Support Wiki
imported>Aeric
(Created page with "For any installation that is public-facing, it's a good idea to make the service run as a non-root user. That way, if services are comprised, they will be more limited than if th…")
 
imported>Aeric
 
(35 intermediate revisions by the same user not shown)
Line 1: Line 1:
For any installation that is public-facing, it's a good idea to make the service run as a non-root user. That way, if services are comprised, they will be more limited than if they had root access. (Here, we'll create a user called "tomcat" for that purpose.)
<includeonly>===Running the Platform as a Non-Root User===</includeonly>
As a good security practice, it is recommended that the platform and the various software components that it required by the platform are run as a users other than <tt>root</tt>. This section explains about running the platform as a non-root user. For information on creating a non-root MySQL user in Unix Common Tomcat Platform installations, see [[Creating a non-root MySQL User to Run Agile Apps]].


To run the platform as a non-root user:
{{Important|The installer needs ''the same privileges as the root user'', without actually ''being'' the root.}}


1. Run this command, and copy the path it produces:
====memcached====
 
memcached accepts the command line argument <tt>–u {username}</tt>. With that argument, memcached assumes the identity of the specified user when running, after being launched by the <tt>root</tt> user. It is recommended that this username is set to <tt>nobody</tt> in the memcached startup command. For example:
:<syntaxhighlight lang="java" enclose="div">
:<syntaxhighlight lang="java" enclose="div">
which nologin
/usr/local/bin/memcached -m 250 -p 11211 -d -u nobody
</syntaxhighlight>
</syntaxhighlight>


2. Run these commands, inserting the path obtained in step #1:
Here, memcached is configured to run as a daemon using 250MB of cache, listening on port 11211, and running as the user <tt>nobody</tt>.
 
====MySQL====
A typical mysql installation has the mysql server running as the user <tt>mysql</tt>. You can verify that setting using the <tt>ps</tt> command:
:<syntaxhighlight lang="java" enclose="div">
:<syntaxhighlight lang="java" enclose="div">
groupadd tomcat
ps auxwww | grep mysql
useradd tomcat -g tomcat -s '{path_to_nologin}'
</syntaxhighlight>
 
====Apache httpd server====
 
Set the User and Group directives in <tt>httpd.conf</tt> to values other than <tt>root</tt>.
 
For example:
# Create a group called <tt>apache</tt> and add the user <tt>apache</tt> to that group.
# Set the values for User and Group in <tt>httpd.conf</tt> to <tt>apache</tt>
 
====Platform====
 
The {{EnterpriseBrand}} is based on Apache Tomcat. It can be run as a standalone AppServer or deployed behind the Apache <tt>httpd</tt> server. When run as a standalone server, the platform listens to ports 80 and 443 for <tt>http</tt> requests. To be run as a non-root user, the platform must be deployed behind Apache, and must be listening on ports > 1023 (since only the root user can bind to low-numbered ports).
:''Learn more:'' [[Installing and Configuring Apache for Use with the Platform]]
 
When installing the {{EnterpriseBrand}}:
:1. Login as the user <tt>tomcat</tt> instead of user <tt>root</tt>.
: &nbsp; &nbsp; That way, the ownership and permissions for the installation folders are set up properly.
 
After configuring the platform and Apache to work together:
:2. Create the group <tt>tomcat</tt> and add the user <tt>tomcat</tt> to it:
::<syntaxhighlight lang="java" enclose="div">
/usr/sbin/groupadd tomcat
/usr/sbin/useradd -g tomcat -d /home/tomcat tomcat
</syntaxhighlight>
 
:3. Change the password for the user <tt>tomcat</tt>:
::<syntaxhighlight lang="java" enclose="div">
passwd tomcat
passwd tomcat
chown -hR tomcat tomcat/
chgrp -hR tomcat tomcat/
chmod 666 tomcat/logs
chmod 666 tomcat/conf
su tomcat
</syntaxhighlight>
</syntaxhighlight>


3. Stop tomcat and restart it as user <tt>tomcat</tt>.
:4. Change the ownership in the folder where the platform is installed to the user <tt>tomcat</tt>.
: &nbsp; &nbsp; For example, if the installation folder is <tt>/opt/softwareag/agileapps</tt>:
::<syntaxhighlight lang="java" enclose="div">
chown -R tomcat:tomcat /opt/softwareag/agileapps
</syntaxhighlight>
 
:5. Restrict permission on the configuration folder to the user <tt>tomcat</tt>:
::<syntaxhighlight lang="java" enclose="div">
chmod -R 700 {agileapps}/tomcat/conf
</syntaxhighlight>
 
:6. Ensure that the user <tt>tomcat</tt> has sufficient permissions on the Temp Directory
<blockquote><ol type="a">
<li>If the Temp directory configured in the Service Provider Settings is <tt>/tmp</tt> (the default), ensure that everyone has read and write permissions on that folder:
:<syntaxhighlight lang="java" enclose="div">
chmod –R 777  /tmp
</syntaxhighlight></li>
<li> If upgrading an installation in which the Temp Directory configured in the Service Provider Settings is not <tt>/tmp</tt>, and is used exclusively by the platform, change the ownership of the folder to the user <tt>tomcat</tt>. For example, if the location is <tt>/var/platform_tmp</tt>:
:<syntaxhighlight lang="java" enclose="div">
chown -R tomcat:tomcat /var/platform_temp
</syntaxhighlight>
</li></ol>
</blockquote>
 
:7.Make it possible for the non-root user to run the startup command</tt>
: &nbsp; &nbsp;  to become user <tt>tomcat</tt> before starting the platform.
: &nbsp; &nbsp; To do that, change this line:
::<syntaxhighlight lang="java" enclose="div">
{install-dir}/profiles/IS_default/bin/startup.sh
</syntaxhighlight>
: &nbsp; &nbsp; to
::<syntaxhighlight lang="java" enclose="div">
sudo {install-dir}/profiles/IS_default/bin/startup.sh
</syntaxhighlight>
<noinclude>
 
[[Category:Installation]]
</noinclude>

Latest revision as of 11:55, 16 October 2019

As a good security practice, it is recommended that the platform and the various software components that it required by the platform are run as a users other than root. This section explains about running the platform as a non-root user. For information on creating a non-root MySQL user in Unix Common Tomcat Platform installations, see Creating a non-root MySQL User to Run Agile Apps.

Warn.png

Important: The installer needs the same privileges as the root user, without actually being the root.

memcached

memcached accepts the command line argument –u {username}. With that argument, memcached assumes the identity of the specified user when running, after being launched by the root user. It is recommended that this username is set to nobody in the memcached startup command. For example: 

/usr/local/bin/memcached -m 250 -p 11211 -d -u nobody

Here, memcached is configured to run as a daemon using 250MB of cache, listening on port 11211, and running as the user nobody.

MySQL

A typical mysql installation has the mysql server running as the user mysql. You can verify that setting using the ps command: 

ps auxwww | grep mysql

Apache httpd server

Set the User and Group directives in httpd.conf to values other than root.

For example:

  1. Create a group called apache and add the user apache to that group.
  2. Set the values for User and Group in httpd.conf to apache

Platform

The AgileApps Cloud platform is based on Apache Tomcat. It can be run as a standalone AppServer or deployed behind the Apache httpd server. When run as a standalone server, the platform listens to ports 80 and 443 for http requests. To be run as a non-root user, the platform must be deployed behind Apache, and must be listening on ports > 1023 (since only the root user can bind to low-numbered ports).

Learn more: Installing and Configuring Apache for Use with the Platform

When installing the AgileApps Cloud platform:

1. Login as the user tomcat instead of user root.
    That way, the ownership and permissions for the installation folders are set up properly.

After configuring the platform and Apache to work together:

2. Create the group tomcat and add the user tomcat to it: 
/usr/sbin/groupadd tomcat
/usr/sbin/useradd -g tomcat -d /home/tomcat tomcat
3. Change the password for the user tomcat: 
passwd tomcat
4. Change the ownership in the folder where the platform is installed to the user tomcat.
    For example, if the installation folder is /opt/softwareag/agileapps: 
chown -R tomcat:tomcat /opt/softwareag/agileapps
5. Restrict permission on the configuration folder to the user tomcat: 
chmod -R 700 {agileapps}/tomcat/conf
6. Ensure that the user tomcat has sufficient permissions on the Temp Directory
  1. If the Temp directory configured in the Service Provider Settings is /tmp (the default), ensure that everyone has read and write permissions on that folder: 
    chmod R 777  /tmp
  2. If upgrading an installation in which the Temp Directory configured in the Service Provider Settings is not /tmp, and is used exclusively by the platform, change the ownership of the folder to the user tomcat. For example, if the location is /var/platform_tmp: 
    chown -R tomcat:tomcat /var/platform_temp
7.Make it possible for the non-root user to run the startup command
    to become user tomcat before starting the platform.
    To do that, change this line: 
{install-dir}/profiles/IS_default/bin/startup.sh
    to 
sudo {install-dir}/profiles/IS_default/bin/startup.sh
Retrieved from "https://agileappscloud.info/aawiki-src/index.php?title=Running_the_Platform_as_a_Non-Root_User&oldid=14090"