Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!news.albasani.net!.POSTED!not-for-mail
From: Lew <noone@lewscanon.com>
Newsgroups: comp.lang.java.programmer
Subject: Re: File uploaded under 'nobody' uid on linux
Date: Thu, 19 May 2011 22:10:24 -0400
Organization: albasani.net
Lines: 39
Message-ID: <ir4iih$fos$1@news.albasani.net>
References: <4b17d468-3056-4dc2-b1bb-5124ec077589@v10g2000yqn.googlegroups.com> <ir2p4n$kf4$2@lust.ihug.co.nz> <ir34lt$eqj$1@news.albasani.net> <nospam-9D2A2B.20511619052011@news.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: news.albasani.net 5hjATDeqm74pTVOasdGFfRRUa86VA0doiWNdH7sntcc1ozI1baRJZ4/i6LIgbbYIcIYGnEKHDKLj+gCOdg64TRVw8/e4heAYvVpZzvr2tU4ItY+kcamoIvzhC1SK/9Gy
NNTP-Posting-Date: Fri, 20 May 2011 02:10:25 +0000 (UTC)
Injection-Info: news.albasani.net; logging-data="wS8/3WrZ1Kf/EXwqElqjNDXzWV9HrSLgPA6V3FMIlDWsSPEXF7+CMs3JBCXMJ0Gd5jyIJaQn64QFz3s2W9EIsdg8a8eytSNuRqX1FmKAwVprzsh8SzlMgqAfDl6XQTra"; mail-complaints-to="abuse@albasani.net"
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
In-Reply-To: <nospam-9D2A2B.20511619052011@news.aioe.org>
Cancel-Lock: sha1:yroI24Wppd7oH7lGUaFFPX43QFs=
Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.programmer:4327

John B. Matthews wrote:
> Lew wrote:
>> Lawrence D'Oliveiro wrote:
>>> ruds wrote:
>>>> Now, please tell me what should I do so that whenever files are
>>>> uploaded they are stored with the user's name where all code and
>>>> other files are stored.
>>>
>>> On way is to activate this mechanism
>>> <http://httpd.apache.org/docs/current/suexec.html>.

>> The OP has not stated that he's using httpd.

> Lew: This point is well taken, but the article _does_ outline the
> (myriad) security issues that ruds should consider.
>
> ruds: If you don't use httpd/suEXEC, you're likely going to have to
> create something similar.

I use Tomcat a lot.  I always run it as a non-privileged user, with the 
installation directory tree under that same user's ownership.  This "nobody" 
issue has never arisen under that configuration for me.

I also run it as a multi-instance installation
<http://tomcat.apache.org/tomcat-6.0-doc/introduction.html>
<http://tomcat.apache.org/tomcat-7.0-doc/introduction.html>
"Optionally, Tomcat may be configured for multiple instances by defining 
$CATALINA_BASE for each instance."

One useful approach is to set CATALINA_BASE to $HOME/.tomcat or similar 
directory within the home directory of each designated Tomcat user.

See the section "Advanced Configuration - Multiple Tomcat Instances" in the 
$CATALINA_HOME/RUNNING.txt file.

-- 
Lew
Honi soit qui mal y pense.
http://upload.wikimedia.org/wikipedia/commons/c/cf/Friz.jpg