How to make Webware run under its own user account ('webware')
Of course, you don't actually "run Webware". You run the AppServer.py daemon in WebKit.
The following steps are for UNIX-like operating systems. (Somebody else please add the steps for NT and other OSes.)
Create the user ("useradd webware" or edit /etc/passwd, etc). Since the user shouldn't log in, give them /bin/false for a login shell and no home directory. Change the password in /etc/passwd or /etc/shadow to 'x' or precede it with '!' to prevent them from logging in. The user can be in group 'nogroup', or you can create a 'webware' group if your OS normally has a separate group for each user.
Set the permissions of your Webware/ files according to which files the AppServer must read and/or write while running. The stricter the better (e.g., it must write log files, but it should not write to config files or AppServer.py). Add write permission to any directory it must create files in.
In your startup script, you can use <pre> su -c COMMAND webware </pre> to run a command as the webware user. The WebKit/webkit init script already has the appropriate line for this. Uncomment it and comment out the line above it, which runs the app server as root. Both lines are clearly labeled with a preceding comment:
# run as root: $LAUNCH >> $LOG 2>&1 & # run as a user named 'webware': #su -c "$LAUNCH" webware >> $LOG 2>&1 &;
-- MikeOrr - 02 Nov 2001 -- ChuckEsterbrook - 08 Nov 2001
Is it really wise to run AppServer as root?
The advice about disabling login shells and home directories is quite important, but how does one set up the webware user's environment? I have seen nasty cases of shell resource files and moving home directories, which would be avoided here, but how and where should the environment be set up?
-- PaulBoddie - 08 Nov 2001
Don't forget to make sure that the user you are going to run it as owns all of the webware files and can write new files in the webware directory.
so do a:
chown 'webwareuser':'webwaregroup' * -R
in the Webware directory
(Thanks to Jay Love)
-- MattFeifarek - 14 Feb 2002
That's a bit dangerous! The user running WebKit should only have write access to those directories that it absolutely must be able to write to: Webware/WebKit/Cache, Webware/WebKit/Logs, Webware/WebKit/Sessions. It will also need write access to Webware/WebKit so that appserverpid.txt and address.txt can be written (this is really the wrong place for these, IMHO). The webware user should NOT own those directories, but should be given write permission. -- TavisRudd - 01 Mar 2002
And if you use the highly-recommended MakeAppWorkDir, you don't need to write anything into the Webware directories. You will have to make some of the directories in your working dir writeable though. -- GeoffTalvola - 04 Mar 2002
The trick with /bin/false as the user's login shell didn't seem to work for me on a recent Red Hat Linux. Doing an su -c didn't cause the command to be executed. -- PaulBoddie - 25 Mar 2002