# How to install tomcat8 as a non-root user in FreeBSD 10.1



## Shanmu (Apr 1, 2016)

Hi Friends,

I would like to install tomcat8 as a non-root user in freebsdFreeBSD 10.1.

Can some one please help me with procedure.

Thanks in advance

Regards
Shanmu


----------



## SirDice (Apr 1, 2016)

Never tried this myself actually, not even sure it's possible. The install does a few chown(8) on certain files and a user account is not allowed to do that. Why do you want to do this? You should be able to install it normally, then use it on a user account. But the install probably has to be done as root.


----------



## Shanmu (Apr 1, 2016)

My security advice team is asking it be mandatory to run as non privilege user as it is high priority vulnerability finding and they have evidence to demonstrate how the system can be compromised  if the tomcat is running as root user.


----------



## SirDice (Apr 1, 2016)

Tomcat won't be running as the root user. It may start as root but as soon as possible it will drop privileges to a non-privileged account (usually www).


----------



## Shanmu (Apr 1, 2016)

looks like it is running as root.

```
root@hd1:~ # ps aux | grep tomcat

root  6420   0.0  0.1   18804   1876  0  S+    5:38PM    0:00.03 grep tomcat

root   699   0.0 47.2 2800556 978196  1- I    Wed07PM   21:20.50 /usr/local/openjdk8/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-8.0/conf/logging.properties -Djava.util

root@hd1:~ #
root@hd1:~ # sockstat | grep 8080

root     java       2945  32 tcp4   10.200.1.56:32888     10.200.1.62:8080

root     java       2945  33 tcp4   10.200.1.56:36275     10.200.1.62:8080

root     java       2945  41 tcp4   10.200.1.56:20444     10.200.1.62:8080

root     java       699   47 tcp4 6 *:8080                *:*

root@hd1:~ #
```


----------



## SirDice (Apr 1, 2016)

What's in /etc/rc.conf for tomcat?


----------



## dpejesh (Apr 1, 2016)

Are you using www/tomcat8 from the ports tree?  If so you should be using the rc script which will run tomcat with jsvc to open any privileged sockets and then drop to the www user.


```
$ ps aux | grep tomcat
root       92745   0.0  0.2   16692   2104  -  Is   Mon11PM    0:00.00 /usr/local/bin/jsvc -java-home /usr/local/openjdk8 -server -user www -pidfile /var/run/tomcat8.pid ...
www        93082   0.0 44.6 2153492 456580  -  S    Mon11PM   21:53.20 /usr/local/bin/jsvc -java-home /usr/local/openjdk8 -server -user www -pidfile /var/run/tomcat8.pid ...

$ cat /etc/rc.conf.d/tomcat8
tomcat8_java_opts="-Xms512m -Xmx512m -XX:MaxPermSize=256m -Djava.security.krb5.conf=/etc/krb5.conf -Didp.home=/usr/local/shibboleth3-idp"
tomcat8_catalina_base="/usr/local/shibboleth3-idp/catalina"
tomcat8_wait="300"
tomcat8_enable="YES"

$ sockstat -4l | grep www 
www      jsvc       93082 21 tcp4 6 *:17686               *:*
www      jsvc       93082 22 tcp4 6 *:9001                *:*
www      jsvc       93082 23 tcp4 6 *:17687               *:*
www      jsvc       93082 54 tcp4   *:80                  *:*
www      jsvc       93082 55 tcp4   *:443                 *:*
www      jsvc       93082 56 tcp4 6 *:8443                *:*
```


----------



## SirDice (Apr 1, 2016)

dpejesh said:


> Are you using www/tomcat8 from the ports tree?


Good point! Looking at some of the paths (-Djava.util.logging.config.file=/usr/local/apache-tomcat-8.0/conf/logging.properties for example) I'm guessing he used the source, not the port. And that's probably where the problem originates. 

Use the port or package.

Handbook: Chapter 4. Installing Applications: Packages and Ports


----------



## Shanmu (Apr 2, 2016)

Installation was done using `pkg install tomcat8`

This is my rc.conf file.

```
root@hd1:/etc/rc.d # more /etc/rc.conf
hostname=“abc”
ifconfig_em0="inet 10.200.1.56 netmask 255.255.255.0"
defaultrouter="10.200.1.250"
sshd_enable="YES"
redis_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
root@hd1:/etc/rc.d #
```
I don't have /etc/rc.conf.d/tomcat8 - why is this required.

The requirement is I need to make the tomcat8 run as non privileged user.

Thanks...


----------



## SirDice (Apr 4, 2016)

`echo tomcat8_enable="YES" >> /etc/rc.conf`
`service tomcat8 start`


----------



## Shanmu (Apr 5, 2016)

`echo tomcat8_enable="YES" >> /etc/rc.conf`     - Solved the issue

Finally I understood, if we manually run Java - it is staring as root and if we allow the default start by putting entry ..then it is using jsvc and runs as user www

```
root@hd1:~ # sockstat
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sshd       4538  3  tcp4   10.200.1.56:22        192.168.11.125:55017
www      jsvc       4082  49 tcp4 6 *:8080                *:*
```
Thanks friends....


----------

