« October 2009 | Main | December 2009 »

November 24, 2009

tomcat user runs fedora

Instructions from tomcat install

From tomcat manual
3.5. Running Tomcat as Non-Root User I don't believe there any issues with running Tomcat as root user. However, for the more security-conscious readers out there, here are some instructions on running Tomcat as a non-root user. At this stage, the Tomcat packages, files and binaries are owned by root. We will first need to create a Tomcat user and group that will own these files, and under which Tomcat will run. Tomcat User :: tomcat Tomcat Group :: tomcat Not too imaginative, huh ? We will now create the Tomcat user and group. Open a terminal window and, as root, # groupadd tomcat # useradd -g tomcat -d /opt/tomcat tomcat # passwd tomcat Notice that we specified the home directory of Tomcat to be /opt/tomcat. Some people believe that this is good practice because it eliminates an additional home directory that needs to be administered. Now, we will put everything in /opt/tomcat under Tomcat user and group. As root, # chown -R tomcat:tomcat /opt/tomcat If /opt/tomcat is a symlink to your Tomcat install directory, you'll need to do this: # chown -R tomcat:tomcat /opt/jakarta-tomcat-5.x.xx Verify that JAVA_HOME and CATALINA_HOME environment variables are setup for tomcat user, and you should be good to go. Once the Tomcat binaries are under Tomcat user, the way you invoke it will be different. To start Tomcat, # su - tomcat -c /opt/tomcat/bin/startup.sh To stop Tomcat, # su - tomcat -c /opt/tomcat/bin/shutdown.sh
In my case replace these commands with
su - tomcat -c /usr/local/fedora/tomcat/bin/startup.sh and
su - tomcat -c /usr/local/fedora/tomcat/bin/shutdown.sh
Also, be aware that your web applications will need to be deployed (i.e. copied to the web application directories) as user tomcat, instead of root. A little more hassle, but possibly a little safer too.

Lines added to /etc/profile

The tomcat user needed access to a few envirnoment variables so I added the following lines to /etc/profile

# User specific aliases and functions
export JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64
export FEDORA_HOME=/usr/local/fedora
export PATH=$PATH:$FEDORA_HOME/server/bin:$FEDORA_HOME/client/bin:$JAVA_HOME/bin
export UWDCUTIL_HOME=/usr/local/uwdcutils-1.0

November 17, 2009

Problem getting to localhost website on my Mac after snow lepord

I got a 403 when trying to reach localhost: Solution from: techtrouts.com
Mac OS X 10.5: Web Sharing – “Forbidden 403″ on http://localhost/~username
If, usually after installing/upgrading your mac, you can’t access your ~/Sites folder on your browser
( http://localhost/~username , where username is your mac username):
* Open a Terminal and $ sudo nano /private/etc/apache2/httpd.conf ;
* ctrl+w (where is) : “<Directory />” ;
* Alter the line below from “Deny from all” to “Allow from all“;
* ctrl+x and y to save;
* now $ sudo httpd -k restart to restart your Apache 2 server;

Then I got the error:
httpd: Syntax error on line 459 of /private/etc/apache2/httpd.conf: Syntax error on line 15 of /private/etc/apache2/extra/httpd-userdir.conf: Syntax error on line 8 of /private/etc/apache2/users/+entropy-php.conf: Cannot load /usr/local/php5/libphp5.so into server: dlopen(/usr/local/php5/libphp5.so, 10): no suitable image found. Did find:\n\t/usr/local/php5/libphp5.so: no matching architecture in universal wrapper
Fixed this by changing :
LoadModule php5_module /usr/local/php5/libphp5.so
LoadModule php5_module libexec/apache2/libphp5.so

Reaching the Fedora Repository from a remote box ... localhost issue

I was trying to contact a fedora box from a remote box and I had the problem that when I hit links within Fedora, the word "localhost" kept appearing in the URL. This resolved to a "404" because Fedora is not on my box. I fixed this by editing:
$FEDORA_HOME/server/config/fedora.fcfg and changing the line: <param name="fedoraServerHost" value="localhost"> In the line above, I replaced the word "localhost" with the actual IP address.

November 13, 2009

Turning XACML ON and OFF in Fedora

2.1 Enabling/Disabling XACML Policy Enforcement To enable/disable XACML policy enforcement in Fedora, use the Fedora configuration file (fedora.fcfg). Whether Fedora uses XACML for authorization decisions is controlled by the ENFORCE-MODE parameter in the Authorization module: <param name="ENFORCE-MODE" value="enforce-policies"/> The ENFORCE-MODE parameter can contain one of three values, with the following meanings: 1. enforce-policies – enable XACML enforcement to determine whether a request is permitted or denied
2. permit-all-requests – disable XACML enforcement; PERMIT every request by default
3. deny-all-requests – disable XACML enforcement; DENY every request by default
The enforce-policies setting is used to enable the enforcement of XACML policies, and is the default setting for a Fedora repository. The permit-all-requests setting can facilitate testing code independent of security. The deny-all-requests setting can be used to quickly shut down access to the server, but requires a server restart to affect this. Tomcat container security is, of course, still a first barrier to authentication/authorization (i.e., Fedora's Tomcat web.xml specifies access protection earlier than XACML. Tomcat container security is always in place regardless of the setting for parameter ENFORCE-MODE. see Fedora Commons on XACML

November 3, 2009

DC Metadata fields used by UMN DSPACE instances: