SU jbossuser temporary file problem
erik777 Apr 13, 2004 5:29 AMFor some reason, when I SU to a user for JBoss to run, it still tries to use the home directory of the user I physically logged into before I used SU to write temporary files for JSP compilation.
The process goes like this:
- Log into OS with user "joe"
- Launch X (gnome)
- Run script in terminal that runs JBoss as user "jbossuser"
- JBoss runs successfully, because during initialization, it only accesses the
files inside the JBoss folder, which "jbossuser" is the owner of.
- Try to access JSP page.
- JBoss gives JSP compile error, which traces down to file.io error, because it cannot
find a temporary file it thought it created in "/home/joe"! "jbossuser" does not
have read/write access to "/home/joe", so naturally this is going to throw an exception.
When I SU as "jbossuer", "~" and "$HOME" both correctly map to "/home/jbossuser". "$home" maps to "/home/joe", so I exported it to "/home/jbossuser" before launching JBoss. This still didn't fix it.
Where is it getting the location for temporary files when it compiles JSP pages? How can we tell it to put the files elsewhere?
The only way I could get it to run successfully under the jboss user was to initially log in with that user. This is not acceptable since this user cannot SU as root, and giving it the ability to SU as root defeats the whole purpose of creating an ID that has minimal privileges. The idea is that if the web server is compromised, I want to limit the damage. This, of course, means that I absolutely want to do everything I can to ensure that access via "jbossuser" cannot be escalated to root.
IMPACT:
Basically, I prefer to run the OS with X and JBoss in a terminal so I can see all output at any time, live. By logging in initially with a user that has the ability to SU as root, I can fullly administrate the server while JBoss continues to run.
Due to this problem my options are only to run JBoss under a user that can SU as root, which goes against the whole purpose of creating and using a user ID that has minimalistic privileges. Or, I can initially log in as the JBoss user, losing the ability to SU as root to administrate the server, something I do often (e.g., to change Apache configuration files.)
If I use the latter, then I have to take down JBoss, and thus my web sites, just to update something that has nothing to do with JBoss.