For some reason, when I SU to a user for JBoss to run, it still tries to use the home directory of the user I physically logged into before I used SU to write temporary files for JSP compilation.
The process goes like this:
- Log into OS with user "joe"
- Launch X (gnome)
- Run script in terminal that runs JBoss as user "jbossuser"
- JBoss runs successfully, because during initialization, it only accesses the
files inside the JBoss folder, which "jbossuser" is the owner of.
- Try to access JSP page.
- JBoss gives JSP compile error, which traces down to file.io error, because it cannot
find a temporary file it thought it created in "/home/joe"! "jbossuser" does not
have read/write access to "/home/joe", so naturally this is going to throw an exception.
When I SU as "jbossuer", "~" and "$HOME" both correctly map to "/home/jbossuser". "$home" maps to "/home/joe", so I exported it to "/home/jbossuser" before launching JBoss. This still didn't fix it.
Where is it getting the location for temporary files when it compiles JSP pages? How can we tell it to put the files elsewhere?
The only way I could get it to run successfully under the jboss user was to initially log in with that user. This is not acceptable since this user cannot SU as root, and giving it the ability to SU as root defeats the whole purpose of creating an ID that has minimal privileges. The idea is that if the web server is compromised, I want to limit the damage. This, of course, means that I absolutely want to do everything I can to ensure that access via "jbossuser" cannot be escalated to root.
Basically, I prefer to run the OS with X and JBoss in a terminal so I can see all output at any time, live. By logging in initially with a user that has the ability to SU as root, I can fullly administrate the server while JBoss continues to run.
Due to this problem my options are only to run JBoss under a user that can SU as root, which goes against the whole purpose of creating and using a user ID that has minimalistic privileges. Or, I can initially log in as the JBoss user, losing the ability to SU as root to administrate the server, something I do often (e.g., to change Apache configuration files.)
If I use the latter, then I have to take down JBoss, and thus my web sites, just to update something that has nothing to do with JBoss.
Forgot to mention this is JBoss 3.2.3 with Tomcat and Jasper.
It uses system property java.io.tmp.dir which if I remember correctly maps
to the TMPDIR environment variable.
I wish that were true, because all users have write access to the folder it points to: '/var/tmp'.
Unfortunately, it's trying to write then read a file in the home folder of the user I initially log into before I SU to 'jbossuser'. Thus, if I originally log in to user 'sam', then I get java.io errors while compiling JSP errors saying it can't find file '/home/sam/fileBlahBlahBlah'.
Since user B doesn't have access to user A's home folder, this can never work unless I find a way to override its current behavior.
Is anyone else having trouble compiling JSPs running under a very limitted JBoss user after doing an SU?
The working dir for tomcat can be set using the workDir attribute at the Host level in the jbossweb-tomcat41.sar/META-INF/jboss-service.xml Config attribute. This must be an absolute path on the platform, which for win32 requires the drive separator. *nix simply requires a leading /.
<attribute name="Config"> <Server> <Service name="JBoss-Tomcat"> <Engine name="MainEngine" defaultHost="localhost"> <Logger className="org.jboss.web.tomcat.Log4jLogger" verbosityLevel="debug" category="org.jboss.web.localhost.Engine"/> <Host name="localhost" workDir="C:/tmp/tomcat"> ...
I'll test this as soon as I can take the server down (production). But, I don't think this is the same thing.
Currently, when I don't use SU, it creates a work directory under the jboss tree, and this works fine. The compiled JSP pages go there. E.g.,
../jboss-3.2.3/server/default/work/MainEngine//<JSP servlet java and class files>
You can see this for all the hosts I have setup in the file you referred to.
When I use SU and a restricted user, it can't get far enouth to produce a servlet for the JSP. The temporary files where it is erroring on are very very temporary files, not the resulting Java and class files for the JSP pages that end up in the work folder. They have cryptic names, as you would expect for temporary files (something like 'fileX827SEJ8293'). They appear to be files Jasper is creating in the compile process.
Thus, the error says something like ...
java.io.BufferedInputStream... cannot read file "/home/sam/fileSKJ2354SJS3"
I'm going off the top of my head, but I'll copy and paste when I can take the server down and play with it again.
The formatter ate the host part, so here's a retry to print one of the lines in the previous message:
../jboss-3.2.3/server/default/work/MainEngine/(host)/(JSP servlet java and class files)
When you say you are using su are you using the -l option to run the user's
In a word, yes. I was using
su - jbossuser
And the man pages say that - is the same as -l.