Running the Platform as a Non-Root User

From AgileApps Support Wiki

As a good security practice, it is recommended that the platform and the various software components that it required by the platform are run as a users other than root. This section explains about running the platform as a non-root user. For information on creating a non-root MySQL user in Unix Common Tomcat Platform installations, see Creating a non-root MySQL User to Run Agile Apps.

Warn.png

Important: The installer needs the same privileges as the root user, without actually being the root.

memcached

memcached accepts the command line argument –u {username}. With that argument, memcached assumes the identity of the specified user when running, after being launched by the root user. It is recommended that this username is set to nobody in the memcached startup command. For example:

<syntaxhighlight lang="java" enclose="div">

/usr/local/bin/memcached -m 250 -p 11211 -d -u nobody </syntaxhighlight>

Here, memcached is configured to run as a daemon using 250MB of cache, listening on port 11211, and running as the user nobody.

MySQL

A typical mysql installation has the mysql server running as the user mysql. You can verify that setting using the ps command:

<syntaxhighlight lang="java" enclose="div">

ps auxwww | grep mysql </syntaxhighlight>

Apache httpd server

Set the User and Group directives in httpd.conf to values other than root.

For example:

  1. Create a group called apache and add the user apache to that group.
  2. Set the values for User and Group in httpd.conf to apache

Platform

The AgileApps Cloud platform is based on Apache Tomcat. It can be run as a standalone AppServer or deployed behind the Apache httpd server. When run as a standalone server, the platform listens to ports 80 and 443 for http requests. To be run as a non-root user, the platform must be deployed behind Apache, and must be listening on ports > 1023 (since only the root user can bind to low-numbered ports).

Learn more: Installing and Configuring Apache for Use with the Platform

When installing the AgileApps Cloud platform:

1. Login as the user tomcat instead of user root.
    That way, the ownership and permissions for the installation folders are set up properly.

After configuring the platform and Apache to work together:

2. Create the group tomcat and add the user tomcat to it:
<syntaxhighlight lang="java" enclose="div">

/usr/sbin/groupadd tomcat /usr/sbin/useradd -g tomcat -d /home/tomcat tomcat </syntaxhighlight>

3. Change the password for the user tomcat:
<syntaxhighlight lang="java" enclose="div">

passwd tomcat </syntaxhighlight>

4. Change the ownership in the folder where the platform is installed to the user tomcat.
    For example, if the installation folder is /opt/softwareag/agileapps:
<syntaxhighlight lang="java" enclose="div">

chown -R tomcat:tomcat /opt/softwareag/agileapps </syntaxhighlight>

5. Restrict permission on the configuration folder to the user tomcat:
<syntaxhighlight lang="java" enclose="div">

chmod -R 700 {agileapps}/tomcat/conf </syntaxhighlight>

6. Ensure that the user tomcat has sufficient permissions on the Temp Directory
  1. If the Temp directory configured in the Service Provider Settings is /tmp (the default), ensure that everyone has read and write permissions on that folder:
    <syntaxhighlight lang="java" enclose="div">
    chmod –R 777 /tmp </syntaxhighlight>
  2. If upgrading an installation in which the Temp Directory configured in the Service Provider Settings is not /tmp, and is used exclusively by the platform, change the ownership of the folder to the user tomcat. For example, if the location is /var/platform_tmp:
    <syntaxhighlight lang="java" enclose="div">
    chown -R tomcat:tomcat /var/platform_temp </syntaxhighlight>
7.Make it possible for the non-root user to run the startup command
    to become user tomcat before starting the platform.
    To do that, change this line:
<syntaxhighlight lang="java" enclose="div">

{install-dir}/profiles/IS_default/bin/startup.sh </syntaxhighlight>

    to
<syntaxhighlight lang="java" enclose="div">

sudo {install-dir}/profiles/IS_default/bin/startup.sh </syntaxhighlight>