Christoph Rabel 9 Years Ago Nice article. One thing though: I have noticed, that sometimes tomcat won't stop. In my experience something like this needs to be done:if (isRunning) ... tomcat/bin/shutdown.shsleep 5if (isRunning) kill $PIDsleep 5if (isRunning) kill -9 PIDUsing ps & grep isRunning can easily be implemented.Minor note: I don't think that X-Interactive: true is a necessary/useful. But since you didn't mention chkconfig (or update-rc.d) at all, the comment is probably moot). Reply Reply as... Cancel Olaf Kock Christoph Rabel 9 Years Ago Good point, thanks. That's the "missing shellscript elegance" As restarting is a manual operation, I'm typically at the server for the operation - able to kill -9 when necessary. But I'll try it out and add it to the script. It's probably even already contained in ubuntu's standard tomcat script... Based on my current workload, it'll take a while. But as the missing piece is already clearly pointed out, this is probably not an issue. Reply Reply as... Cancel
Olaf Kock Christoph Rabel 9 Years Ago Good point, thanks. That's the "missing shellscript elegance" As restarting is a manual operation, I'm typically at the server for the operation - able to kill -9 when necessary. But I'll try it out and add it to the script. It's probably even already contained in ubuntu's standard tomcat script... Based on my current workload, it'll take a while. But as the missing piece is already clearly pointed out, this is probably not an issue. Reply Reply as... Cancel
Patrick Wolf 9 Years Ago It is good to read something about security. Liferay is quite reliable compared to other framework written in PHP. However, what are the good practices to install a bullet proof Liferay? Thank you for this tutorial.I would have thought that you would recommend to install Liferay from the WAR archive deployed in a fresh installed Tomcat. This would prevent from the init script hassle and the problem of log rotation issue. By experience, Liferay and other Java applications are quite verbose, for the sake of developers, but the catalina.out file is reaching very quickly a critical size. With an application server or a Tomcat installed, the distribution system takes care of the init script and of the log rotation. And I think that it is better for administrators to use a Tomcat from the distribution repository than the Tomcat provided with the Liferay bundle.Thanks a lot Olaf for your article. Reply Reply as... Cancel Olaf Kock Patrick Wolf 9 Years Ago Hi Patrick,Thanks for your feedback. I agree that the standard Linux distribution tomcat is a lot better suited. I'll add this to the third chapter, when I come back to tomcat configuration. However, the bundle is really popular due to its ease of use, and too often I just see the "sudo startup.sh", e.g. the bundle being run as root. For anybody who loves suggesting this, I'm now providing a place to link to (I had to correct this over and over again). Logfile sizes are a good thing to keep an eye on - and you're bringing them onto my radar for the next chapters. While not purely security/hardening related, they're on a border line and an out-of-control logfile can be hazardous for the system. Thanks again.Olaf Reply Reply as... Cancel
Olaf Kock Patrick Wolf 9 Years Ago Hi Patrick,Thanks for your feedback. I agree that the standard Linux distribution tomcat is a lot better suited. I'll add this to the third chapter, when I come back to tomcat configuration. However, the bundle is really popular due to its ease of use, and too often I just see the "sudo startup.sh", e.g. the bundle being run as root. For anybody who loves suggesting this, I'm now providing a place to link to (I had to correct this over and over again). Logfile sizes are a good thing to keep an eye on - and you're bringing them onto my radar for the next chapters. While not purely security/hardening related, they're on a border line and an out-of-control logfile can be hazardous for the system. Thanks again.Olaf Reply Reply as... Cancel
Patrick Wolf 9 Years Ago Olaf, thanks for your comment and "thumb up".By the way, even though it is trivial and straightforward to install Liferay from the provided bundle, I came accross some threads in message boards regarding installation of Liferay from the WAR file, either in Tomcat or JBoss. This is documented but the documentation is sometimes ambiguous and people are still struggling to install properly Liferay this way. I may send you a document outlining Liferay installation on a production environment as i don't know where I could publish it here so that the whole community can share and update it. Reply Reply as... Cancel Olaf Kock Patrick Wolf 9 Years Ago Hi Patrick,if you want to - you can write a blog entry yourself: https://www.liferay.com/de/web/james.falkner/blog/-/blogs/community-blogging-now-availa-11 or participate in updating the documentation on the new dev/docs site - see https://dev.liferay.com/participate. But I'm happy to accept your input as well: Your choice.Especially if the information in the user guide is incomplete or misleading, I'm very interested in seeing it corrected. Reply Reply as... Cancel
Olaf Kock Patrick Wolf 9 Years Ago Hi Patrick,if you want to - you can write a blog entry yourself: https://www.liferay.com/de/web/james.falkner/blog/-/blogs/community-blogging-now-availa-11 or participate in updating the documentation on the new dev/docs site - see https://dev.liferay.com/participate. But I'm happy to accept your input as well: Your choice.Especially if the information in the user guide is incomplete or misleading, I'm very interested in seeing it corrected. Reply Reply as... Cancel
Charles Bedford 9 Years Ago Very useful series of articles Olaf, thanks.I've been a sysadmin longer than I care to remember, and over the years have made a few generalizations about scripts that make them more readable and easier to follow as well as more secure.First, to expand on Christoph's points - the isRunning can be a conglomeration of ps and grep or the more recent application that seems to be coming on linux and solaris called pgrep. If you have multiple application servers however this can be difficult to manage - and it might be better to use a more specific grep string against the arguments of the running process...Second, I try to avoid the use of sudo in my root level scripts, largely because my environment does not allow root to use sudo, but also because a unix level utility already exists to execute something as another user - su. Replacing your calls to sudo with su would cover that script without too much problem.Third, if you put the comments near the actions it's easier to follow, as opposed to the script where you have your comments at the top detailing what you want to do later... isn't it better to comment the lines as you execute them? I know it's picking nits, but as time goes on you find little things make your life simpler as an admin, and that's always a good thing.Thanks for listening, and keep the good articles like this one coming! -- Charles Reply Reply as... Cancel Olaf Kock Charles Bedford 9 Years Ago Hi Charles,Thanks for your feedback. You're right in all points. The update that I was talking about in the reply to Christoph is still pending - until then I rely on readers to include these comments in their quest for a secure installation. All of this will be solved by following Patrick's advice to use the distribution's tomcat for Liferay (and install the WAR distribution) - at least that's a suggestion that I've included in chapter 4. But I want to make this script more elegant too - and it's good that this triggers discussion and feedback. Reply Reply as... Cancel Olaf Kock Olaf Kock 9 Years Ago I totally forgot about Brett's tomcat startup script - even though I even commented there... https://www.liferay.com/web/brett.swaim/blog/-/blogs/sample-tomcat-startup-scripts Reply Reply as... Cancel
Olaf Kock Charles Bedford 9 Years Ago Hi Charles,Thanks for your feedback. You're right in all points. The update that I was talking about in the reply to Christoph is still pending - until then I rely on readers to include these comments in their quest for a secure installation. All of this will be solved by following Patrick's advice to use the distribution's tomcat for Liferay (and install the WAR distribution) - at least that's a suggestion that I've included in chapter 4. But I want to make this script more elegant too - and it's good that this triggers discussion and feedback. Reply Reply as... Cancel Olaf Kock Olaf Kock 9 Years Ago I totally forgot about Brett's tomcat startup script - even though I even commented there... https://www.liferay.com/web/brett.swaim/blog/-/blogs/sample-tomcat-startup-scripts Reply Reply as... Cancel
Olaf Kock Olaf Kock 9 Years Ago I totally forgot about Brett's tomcat startup script - even though I even commented there... https://www.liferay.com/web/brett.swaim/blog/-/blogs/sample-tomcat-startup-scripts Reply Reply as... Cancel
(You) 8 Years Ago [...] Disable "create new accounts" if you don't want random users to create new accounts (e.g. in an intranet) JSONWS access Disable Control Panel, add "My Account" to user's personal pages instead The... [...] Read More Reply Reply as... Cancel