Friday, March 28, 2008

Tomcat init startup script and su for restricted users...

Normally, when I create init scripts in linux, I simply look for one written by someone who has taken the time to create one. A couple quick google searches and I'm in like Flynn.

I found a few some time ago for Apache Tomcat for our SmashedApples.com concept. Most were either over-written to include tcp/ip jive that would have been overdoing it for EC2, or the scripts were poorly written. The one I chose was incomplete. I needed to re-write large chunks of it, and ran into a couple of problems along the way. What I ended up with wasn't exactly the greatest script in the world, but it works and gets the job done.

Also, in the past, if a startup script called for another user, I'd simply create the user and get to a point where I could log in as that user, make the password ridiculous, and restrict use of the system for/by that user. WELL, in EC2 you can create new users and allow them to login via ssh, but it's not suggested. That makes sense. So I discovered a little argument to the "su" command that I've either never heard of, or simply forgot about.... at 30 I'm starting to lose the ol' marbles.

I ran groupadd to add my 'tomcat' group.
useradd my 'tomcat' user.
chown/grpown to take ownership of my tomcat directory.
created and edited my init.d script.

To stay within the EC2 security paradigm, when I added the tomcat user, the "-s" argument looked like this:
-s "/sbin/nologin"
... something I'd never done before.

Started testing through everything and when running the 'su' command to execute tomcat I was getting an error that said, "This account is currently not available." Makes sense. /sbin/nologin instead of bash or the like.

I did searches for about15 minutes... 15 minutes too long IMO. So, without further ado, let me introduce you to a nice little su argument that I didn't see in my man pages (well... i should learn to use the man pages in my os instead of a google search). "-s" If you execute su as root, you can bypass /etc/passwd with this smooth little arg. "-p" preserves the environment variables, which are definitely needed... ahem... JAVA_HOME!

su -p -s /bin/sh tomcat -c "wget http://smashedwebapps.s3.amazonaws.com/smashedwebapps.zip -O /opt/blazeds/tomcat/webapps/smashedwebapps.zip"

(o.k., so showing the random wget command is semi-worthless, but you get the point. do the same thing for "catalina start" or "startup" or whatever you're trying to do. fyi: we run that wget command so that brian (le mieux FLEX developer du monde) could simply slap all our webapps code into a zip file and upload it into an s3 bucket.) The point is, now we have a totally secure and loving model of tomcat running on an EC2 instance at startup (or at least will when the ol' symbolic links are made in the correct runlevels... MAKE SURE TO INCLUDE RUNLEVEL 4, just in case!... I could be full of it but I think EC2 uses XEN for these virtual machines. I haven't tested through, and sure inittab say default is 3, but I'm crazy and did 4 as well.)

Anyway, life is good. Go team!

No comments:

ShareThis