Running the Platform as a Non-Root User
Running the Platform as a Non-Root User
As a good security practice, it is recommended that the platform and the various software components that it required by the platform are run as a users other than root. This section explains what you need to do.
memcached
memcached accepts the command line argument –u {username}. With that argument, memcached assumes the identity of the specified user when running, after being launched by the root user. It is recommended that this username is set to nobody in the memcached startup command. For example:
/usr/local/bin/memcached -m 250 -p 11211 -d -u nobody
Here, memcached is configured to run as a daemon using 250MB of cache, listening on port 11211, and running as the user nobody.
MySQL
A typical mysql installation has the mysql server running as the user mysql. You can verify that setting using the ps command:
ps auxwww | grep mysql
Apache httpd server
Set the User and Group directives in httpd.conf to values other than root.
For example:
- Create a group called apache and add the user apache to that group.
- Set the values for User and Group in httpd.conf to apache
LongJump
The LongJump platform is based on Apache Tomcat. It can be run as a standalone AppServer or deployed behind the Apache httpd server. When run as a standalone server, the platform listens to ports 80 and 443 for http requests. To be run as a non-root user, the platform must be deployed behind Apache, and must be listening on ports > 1023 (since only the root user can bind to low-numbered ports).
After configuring the platform and Apache to work together:
- 1. Create the group tomcat and add the user tomcat to it:
/usr/sbin/groupadd tomcat /usr/sbin/useradd -g tomcat -d /home/tomcat tomcat
- 2. Change the password for the user tomcat:
passwd tomcat
- 3. Change the ownership in the folder where the platform is installed to the user tomcat.
- For example, if the platform is installed in the folder /usr/local/longjump_app_server:
chown -R tomcat:tomcat /usr/local/longjump_app_server
- 4. Restrict permission on the configuration folder to the user tomcat:
chmod -R 700 /usr/local/longjump_app_server/tomcat/conf
- 5. If upgrading an installation in which the Documents Directory folder configured in the Service Provider Settings is
- located in a folder other than the installation directory (the default location), then change the ownership of that
- folder to the user tomcat. For example, if the location is /var/platform_documents:
chown -R tomcat:tomcat /var/platform_documents
- 6. Ensure that the user tomcat has sufficient permissions on the Temp Directory
- If the Temp directory configured in the Service Provider Settings is /tmp (the default), ensure that everyone has read and write permissions on that folder:
- If upgrading an installation in which the Temp Directory configured in the Service Provider Settings is not /tmp, and is used exclusively by the platform, change the ownership of the folder to the user tomcat. For example, if the location is /var/platform_tmp:
- 7. When installing LongJump, login as the user tomcat instead of user root.
- That way, the ownership and permissions for the installation folders are set up properly.
- 8. The platform is started using the command {appserver_files}/scripts/longjump start.
- To allow that script to be run by the root user, modify the script {appserver_files}/scripts/longjump
- to become user tomcat before starting the platform.
- To do that, change this line:
$CATALINA_HOME/bin/startup.sh
- to
su - tomcat -c $CATALINA_HOME/bin/startup.sh