File uploaded under 'nobody' uid on linux

[ruds]

Hi,
I have a web application in which users upload files and later I
convert them to pdf's using jodconverter.
What I have found is, when users upload files they are stored under
'nobody's' uid on linux.
Let me give you a back ground of my webapp.
tomcat is under /root/apache* directory, I have given a link to actual
source files and uploaded files stored in the webapps directory of
apache.
The actual files are stored under another users home/projects
directory.
So when a web user uploads some files it is being stored at above
mentioned location and when I want to convert the files to pdf I'm am
not having write permissions to the files as the UID for these files
is 65534.
Now, please tell me what should I do so that whenever files are
uploaded they are stored with the user's name where all code and other
files are stored.

 

[Lew]

I have a web application in which users upload files and later I
convert them to pdf's [sic] using jodconverter.
What I have found is, when users upload files they are stored under
'nobody's' [sic] uid on linux [sic].
Let me give you a back ground of my webapp.
tomcat is under /root/apache* directory, I have given a link to actual
source files and uploaded files stored in the webapps directory of
apache.
The actual files are stored under another users home/projects
directory.
So when a web user uploads some files it is being stored at above
mentioned location and when I want to convert the files to pdf I'm am
not having write permissions to the files as the UID for these files
is 65534.
Now, please tell me what should I do so that whenever files are
uploaded they are stored with the user's name where all code and other
files are stored.

That depends in great measure on the deployment environment (Tomcat?
WebSphere?), but ultimately on what user ID the application runs under.
Presumably it's running as 'nobody', right?

This is actually a Linux question - check your HOW-TOs and the documentation
for your application server. I usually just run the startup script under the
desired user ID.

Another thing you can do is run a 'chmod' script that's setuid to root.

 

[Lew]

I have a web application in which users upload files and later I
convert them to pdf's [sic] using jodconverter.
What I have found is, when users upload files they are stored under
'nobody's' [sic] uid on linux [sic].
Let me give you a back ground of my webapp.
tomcat is under /root/apache* directory, I have given a link to actual
source files and uploaded files stored in the webapps directory of
apache.
The actual files are stored under another users home/projects
directory.
So when a web user uploads some files it is being stored at above
mentioned location and when I want to convert the files to pdf I'm am
not having write permissions to the files as the UID for these files
is 65534.
Now, please tell me what should I do so that whenever files are
uploaded they are stored with the user's name where all code and other
files are stored.

That depends in great measure on the deployment environment (Tomcat?
WebSphere?), but ultimately on what user ID the application runs under.
Presumably it's running as 'nobody', right?

This is actually a Linux question - check your HOW-TOs and the documentation
for your application server. I usually just run the startup script under the
desired user ID.

Another thing you can do is run a 'chmod' script that's setuid to root.

Oops - 'chown' script. Or both.

 

[ruds]

When I execute the ps command, this is what I get:
root 9161 1 0 May16 ? 00:03:04
-classpath /root/apache-tomcat-6.0.29/bin/tomcat-juli.jar:/root/apache-
tomcat-6.0.29/bin/bootstrap.jar:/root/apache-tomcat-6.0.29/webapps
/FIR/WEB-INF/classes -Dcatalina.base=/root/apache-tomcat-6.0.29 -
Dcatalina.home=/root/apache-tomcat-6.0.29/bin -Djava.io.tmpdir=/root/
apache-tomcat-6.0.29/temp org.apache.catalina.startup.Bootstrap start

So isn't Tomcat running under root?
I have given link to another location from the /root/apchec*/webapps
directory which is present in another users home.
So, when my webapp is storing documents should'nt store under this
users id or root's by default? How come the uid is that of nobody?

 

[Nigel Wade]

When I execute the ps command, this is what I get:
root 9161 1 0 May16 ? 00:03:04
-classpath /root/apache-tomcat-6.0.29/bin/tomcat-juli.jar:/root/apache-
tomcat-6.0.29/bin/bootstrap.jar:/root/apache-tomcat-6.0.29/webapps
/FIR/WEB-INF/classes -Dcatalina.base=/root/apache-tomcat-6.0.29 -
Dcatalina.home=/root/apache-tomcat-6.0.29/bin -Djava.io.tmpdir=/root/
apache-tomcat-6.0.29/temp org.apache.catalina.startup.Bootstrap start

So isn't Tomcat running under root?

That would be exceedingly dangerous. Maybe Tomcat has changed it's
effective UID to "nobody" to avoid those dangers.

I have given link to another location from the /root/apchec*/webapps
directory which is present in another users home.
So, when my webapp is storing documents should'nt store under this
users id or root's by default? How come the uid is that of nobody?

I doubt very much that it would write files as some arbitrary user,
merely based on who owns the directory. It most likely writes files as
user "nobody" because writing files owned by root into arbitrary
directories, with odd modes, can be open to serious abuse.

It may also be because the filesystem is mounted using NFS, and NFS is
translating UID=0 to UID=65535 for security reasons.

 

[Lawrence D'Oliveiro]

In message

Now, please tell me what should I do so that whenever files are
uploaded they are stored with the user's name where all code and other
files are stored.

On way is to activate this mechanism
<http://httpd.apache.org/docs/current/suexec.html>.

 

[Lew]

In message


On way is to activate this mechanism
<http://httpd.apache.org/docs/current/suexec.html>.

The OP has not stated that he's using httpd.

 

[John B. Matthews]

The OP has not stated that he's using httpd.

Lew: This point is well taken, but the article _does_ outline the
(myriad) security issues that ruds should consider.

ruds: If you don't use httpd/suEXEC, you're likely going to have to
create something similar.

 

[Lew]

Lew: This point is well taken, but the article _does_ outline the
(myriad) security issues that ruds should consider.

ruds: If you don't use httpd/suEXEC, you're likely going to have to
create something similar.

I use Tomcat a lot. I always run it as a non-privileged user, with the
installation directory tree under that same user's ownership. This "nobody"
issue has never arisen under that configuration for me.

I also run it as a multi-instance installation
<http://tomcat.apache.org/tomcat-6.0-doc/introduction.html>
<http://tomcat.apache.org/tomcat-7.0-doc/introduction.html>
"Optionally, Tomcat may be configured for multiple instances by defining
$CATALINA_BASE for each instance."

One useful approach is to set CATALINA_BASE to $HOME/.tomcat or similar
directory within the home directory of each designated Tomcat user.

See the section "Advanced Configuration - Multiple Tomcat Instances" in the
$CATALINA_HOME/RUNNING.txt file.

 

[John B. Matthews]

Lew: This point is well taken, but the article _does_ outline the
(myriad) security issues that ruds should consider.

ruds: If you don't use httpd/suEXEC, you're likely going to have to
create something similar.

I use Tomcat a lot. I always run it as a non-privileged user, with
the installation directory tree under that same user's ownership.
This "nobody" issue has never arisen under that configuration for me.

I also run it as a multi-instance installation
<http://tomcat.apache.org/tomcat-6.0-doc/introduction.html>
<http://tomcat.apache.org/tomcat-7.0-doc/introduction.html>
"Optionally, Tomcat may be configured for multiple instances by
defining $CATALINA_BASE for each instance."

One useful approach is to set CATALINA_BASE to $HOME/.tomcat or
similar directory within the home directory of each designated Tomcat
user.

See the section "Advanced Configuration - Multiple Tomcat Instances"
in the $CATALINA_HOME/RUNNING.txt file.[/QUOTE]

I like this; thank you for the pointer.

 

[ruds]

Tomcat is being run under root user. But my file location are in
another users home and it is in root group.
So, I cannot use suExec as it does not allow root goup users to run
the program.
I'm still not able to understand how does files get uploaded under
nobody'd uid?

Please help.

 

[Lew]

Tomcat is being run under root user. But my file location are in
another users home and it is in root group.
So, I cannot use suExec as it does not allow root goup users to run
the program.
I'm still not able to understand how does files get uploaded under
nobody'd uid?

Please help.

It has already been suggested that you not run Tomcat under root user. It has
been proffered that that is possibly why it's using "nobody" as the user. Did
you try that solution?

To refresh your memory:

That would be exceedingly dangerous. Maybe Tomcat has changed its
effective UID to "nobody" to avoid those dangers.

Let us know how that works for you, something you have not done so far.

 

[John B. Matthews]

Tomcat is being run under root user. But my file location are in
another users home and it is in root group. So, I cannot use suExec
as it does not allow root goup users to run the program. I'm still
not able to understand how does files get uploaded under nobody'd
uid?

Please help.

It has already been suggested that you not run Tomcat under root
user. It has been proffered that that is possibly why it's using
"nobody" as the user. Did you try that solution?

To refresh your memory:

That would be exceedingly dangerous. Maybe Tomcat has changed its
effective UID to "nobody" to avoid those dangers.

Let us know how that works for you, something you have not done so far.[/QUOTE]

ruds: It would also help to clarify the goal as it relates to security,
e.g. one user v. many, known user(s) v. unknown, etc.