Return to Jive Software

Skip navigation
Up to Discussions in Jive Forums
1,975 Views 11 Replies Last post: Oct 28, 2009 1:45 PM by erichendrickson RSS
erichendrickson Novice
erichendrickson
63 posts since
Jul 14, 2009
Currently Being Moderated

Oct 6, 2009 3:42 PM

Jive Apache runs as root, and owns some of the files

Working in a managed environment, we do not have access to 'root' except by very special request (e.g. for upgrades, to run 'rpm').

 

I have noticed that the parent Apache process retains it's UID as root even after starting.  Yet the jive-httpd.conf appears to be set to switch to 'daemon'.  Questions:

 

1.  Why does it stay running as root?  Shouldn't it switch to the 'jive' user?  Can I change the jive-httpd.conf (or somewhere else) to make it switch to the 'jive' id after binding to port 80?  (That doesn't seem to work right now though since it's already set to change to 'daemon' and it doesn't do that.)

 

2.  There are a number of directories under /usr/local/jive that retain root ownership.  Since we do not have 'root' access (except possibly, to start/stop the services but that request is in process), (a) is it safe to convert all of this over to jive (assuming we can do #1 above and get the parent httpd over to running as jive)?

 

And, can future package releases handle these two items automatically?

 

3.  The file /usr/local/jive/applications/sbs/bin/instance is created at install time, and seems to be the right place to change the AJP_PORT, where we had a conflict with Altiris on port 9002.  I don't see this file documented anywhere in the Jive documentation - can we get this documented or can you point that location out to me?

 

4.  Is there a recommended method to start/stop the application, database and httpd without root?

 

Thanks and regards,

Eric Hendrickson

Tags: apache, root
karlcyr Jive Employee
karlcyr
9,340 posts since
Mar 12, 2008
Currently Being Moderated
Oct 6, 2009 5:00 PM in response to: erichendrickson
Re: Jive Apache runs as root, and owns some of the files

Hi Eric,

 

1.  Why does it stay running as root?  Shouldn't it switch to the 'jive' user?  Can I change the jive-httpd.conf (or somewhere else) to make it switch to the 'jive' id after binding to port 80?  (That doesn't seem to work right now though since it's already set to change to 'daemon' and it doesn't do that.)

I will have to follow up on that with an engineer who worked on the platform. I do not see any jive-httpd processes running as root on our hosted instances.

 

2.  There are a number of directories under /usr/local/jive that retain root ownership.  Since we do not have 'root' access (except possibly, to start/stop the services but that request is in process), (a) is it safe to convert all of this over to jive (assuming we can do #1 above and get the parent httpd over to running as jive)?

These directories are intentionally left as owned by root for their protection. Making changes to these folders could potentially lead to application instability. Therefore they are intentionally protected at a level where the application, or most application admins, are unable to edit them.

 

3.  The file /usr/local/jive/applications/sbs/bin/instance is created at install time, and seems to be the right place to change the AJP_PORT, where we had a conflict with Altiris on port 9002.  I don't see this file documented anywhere in the Jive documentation - can we get this documented or can you point that location out to me?

You can find information on the "instance" file in the Operations Cookbook: http://www.jivesoftware.com/builds/docs/jive_sbs_employee/latest/admin/OperationsCookbook.html#changing_the_configuration_of_an_existing_instance

 

4.  Is there a recommended method to start/stop the application, database and httpd without root?

Application management can be performed by the jive user with any of the commands in the /usr/local/jive/bin/ directory. You should not have any need to restart the database server. Additionally, you can control Apache and Tomcat individually using the /usr/local/jive/<application>/manage script.

 

Regards,
Karl

erichendrickson Novice
erichendrickson
63 posts since
Jul 14, 2009
Currently Being Moderated
Oct 7, 2009 1:01 PM in response to: Karl Cyr
Re: Jive Apache runs as root, and owns some of the files

Hi Karl, thanks for your response.

 

I'll show you these ps output's to demonstrate that the parent httpd process is still running as root.

 

 

: jive@apsr8068 ~/bin ;
: [Oct  7 14:01] 501$ ; ps -fu jive
UID        PID  PPID  C STIME TTY          TIME CMD
jive       951  2323  0 Oct05 ?        00:00:06 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive      2222     1  0 Oct02 ?        00:00:17 /usr/local/jive/postgres/bin/postgres -D /usr/local/jive/var/data/postgres-8.3
jive      2225  2222  0 Oct02 ?        00:00:05 postgres: writer process
jive      2226  2222  0 Oct02 ?        00:00:03 postgres: wal writer process
jive      2227  2222  0 Oct02 ?        00:00:00 postgres: autovacuum launcher process
jive      2228  2222  0 Oct02 ?        00:00:00 postgres: archiver process   last was 000000010000000000000005.00042D58.backup
jive      2229  2222  0 Oct02 ?        00:00:01 postgres: stats collector process
jive      2283     1  0 Oct02 ?        00:31:06 /usr/local/jive/java/bin/java -XX:+PrintClassHistogram -XX:+PrintTenuringDistribution -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djav
jive      2457 27844  0 14:01 pts/1    00:00:00 ps -fu jive
jive      3896  2323  0 Oct05 ?        00:00:06 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     13144  2323  0 Oct05 ?        00:00:05 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     22327  2323  0 Oct06 ?        00:00:02 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     22505  2323  0 Oct06 ?        00:00:02 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     22713  2323  0 Oct06 ?        00:00:02 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     27844 27550  0 11:42 pts/1    00:00:00 -bash
jive     32149  2323  0 Oct06 ?        00:00:02 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     32464  2323  0 Oct05 ?        00:00:06 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     32465  2323  0 Oct05 ?        00:00:06 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
jive     32655  2323  0 Oct05 ?        00:00:06 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
: jive@apsr8068 ~/bin ;
: [Oct  7 14:01] 502$ ; ps -f 2323
UID        PID  PPID  C STIME TTY      STAT   TIME CMD
root      2323     1  0 Oct02 ?        Ss     0:00 /usr/local/jive/httpd/bin/jive-httpd -f /usr/local/jive/etc/httpd/conf/httpd.conf -k start
Shouldn't PID 2323 have changed it's EUID to 'daemon' (as it looks like the jive-httpd.conf is configured for) or 'jive' since that is the id created for this purpose?
Thanks,
Eric
karlcyr Jive Employee
karlcyr
9,340 posts since
Mar 12, 2008
Currently Being Moderated
Oct 7, 2009 2:06 PM in response to: erichendrickson
Re: Jive Apache runs as root, and owns some of the files

Hi Eric,

 

I ran this by our lead platform developer. He explained that the root process is needed to bind to port 80, and subsequently spawn the child processes which will handle the actual requests. The single root process is needed as the parent to keep the socket open on that privileged port, but it does not actually serve any requests.

 

Regards,
Karl

erichendrickson Novice
erichendrickson
63 posts since
Jul 14, 2009
Currently Being Moderated
Oct 7, 2009 2:31 PM in response to: Karl Cyr
Re: Jive Apache runs as root, and owns some of the files

Hi Karl,

 

Yes, it does need root to bind to any port below 1024.  However, best practices are that it should change it's EUID to something else after it has obtained port 80.

 

This is why the /usr/local/jive/etc/httpd/conf/httpd.conf file has this setting in it:

 

User jive
Group jive

 

So why doesn't the parent httpd change it's EUID to 'jive'?

 

And now this also brings up another question, which is, Why are there two httpd.conf files?

 

/usr/local/jive/etc/httpd/conf/httpd.conf [OWNER JIVE]

/usr/local/jive/httpd/conf/jive-httpd.conf [OWNER ROOT]

 

The latter one has the following, with a more standard Apache comment:

 

#

# If you wish httpd to run as a different user or group, you must run

# httpd as root initially and it will switch.

#

# User/Group: The name (or #number) of the user/group to run httpd as.

# It is usually good practice to create a dedicated user and group for

# running httpd, as with most system services.

#

User daemon

Group daemon

And, Which one is the one we are using?
Thanks and regards,
Eric
p.s. there seems to be a bug in the blank line stripping code for blank lines after an indented line, there is a blank line here after the quoted lines from the second httpd.conf, before "And," and it keeps getting stripped out.
karlcyr Jive Employee
karlcyr
9,340 posts since
Mar 12, 2008
Currently Being Moderated
Oct 8, 2009 1:08 PM in response to: erichendrickson
Re: Jive Apache runs as root, and owns some of the files

Hi Eric,

 

It looks like this is a standard configuration for Apache servers. Please see: http://httpd.apache.org/docs/1.3/mod/core.html#user

 

If you do start the server as root, then it is normal for the parent process to remain running as root.

 

Regards,

Karl

erichendrickson Novice
erichendrickson
63 posts since
Jul 14, 2009
Currently Being Moderated
Oct 8, 2009 1:17 PM in response to: Karl Cyr
Re: Jive Apache runs as root, and owns some of the files

I see what you mean, thanks.  I somehow did not know that... 

 

However this will be ok as in parallel with this I had requested sudo permission to run the start stop scripts as root, and this was granted today.  So we will be able to do "service jive-* [start|stop|status]" as root (with sudo) so I expect we'll be all set here.

 

Can we keep this ticket open for a week or two until we get past the build of the Stage environment and confirm that we are all set there too - but I will move it down the priority list.

 

Thanks and regards,

Eric

karlcyr Jive Employee
karlcyr
9,340 posts since
Mar 12, 2008
Currently Being Moderated
Oct 8, 2009 2:45 PM in response to: erichendrickson
Re: Jive Apache runs as root, and owns some of the files

Sure, that sounds good Eric.

 

Regards,

Karl

erichendrickson Novice
erichendrickson
63 posts since
Jul 14, 2009
Currently Being Moderated
Oct 12, 2009 8:32 AM in response to: Karl Cyr
Re: Jive Apache runs as root, and owns some of the files

One question I still need answered here is, as shown above, why are there two httpd.conf files?  I can see in the process table which one is in use but if I wanted to modify the Apache config should I modify both of them or just one?

 

Thanks!

Eric

karlcyr Jive Employee
karlcyr
9,340 posts since
Mar 12, 2008
Currently Being Moderated
Oct 12, 2009 9:53 AM in response to: erichendrickson
Re: Jive Apache runs as root, and owns some of the files

Hi Eric,

 

The jive-httpd.conf is used to intialize Apache, bind to port 80, and kick off the other processes. The other httpd.conf is the one which is used for configuration settings, and this file in turn would load application-specific configuration files if you had multiple SBS installations running on the same platform.

 

Our recommendation is to make any configuration changes to httpd.conf, and leave the jive-http.conf file untouched unless you have a very specific reason.

 

Regards,
Karl

karlcyr Jive Employee
karlcyr
9,340 posts since
Mar 12, 2008
Currently Being Moderated
Oct 27, 2009 6:17 PM in response to: Karl Cyr
Re: Jive Apache runs as root, and owns some of the files

Hi Eric,

 

Do you have any additional questions about this, or can this case be closed?

 

Regards,
Karl

erichendrickson Novice
erichendrickson
63 posts since
Jul 14, 2009
Currently Being Moderated
Oct 28, 2009 1:45 PM in response to: Karl Cyr
Re: Jive Apache runs as root, and owns some of the files

Hi Karl,

 

Thanks for asking - yes this is all settled and you can close this.

 

Regards,

Eric

More Like This

  • Retrieving data ...

Bookmarked By (0)

To better serve our customers we have included functionality to automatically follow up on a case after it has been idle for more than 5 days, and then auto close after an additional 3 days of inactivity. Choose No to acknowledge that this case will remain idle for longer than 5 days.
Making cases public allows other customers to learn from the solution of the case. It can also be used to gain feedback from others in the community. Ask our Support Engineers for more info, but we encourage you to make your cases public.