We're running a (cPanel/WHM based) server which contains mainly PHP applications. They are executed with the permissions of their owner with the suExec component of Apache.
We're looking into moving some of our core applications to Java, running in Tomcat (with Apache proxying), which can apparently be easily installed from within WHM. However, is there a way to preserve the suExec functionality there, so Java applications also get executed with the correct permissions?
Tomcat only runs as a single (multi-threaded) process, so there's no way to have apps deployed to the same
$CATALINA_BASE
run as different users.You'll have to install separate Tomcat instances (or at least set up separate $CATALINA_BASE directories) if you have to run different webapps under different users.
If you want to run as different users because some applications need specific security permissions, then you might also investigate using a security manager.
In all the Tomcat deployments I have done the Tomcat instance runs as user 'tomcat' on a high-number port, such as 8080. Then using a front-end webserver (Apache?), we proxy the incoming connections to the high-number port.
That would allow for non-root Tomcat, and I think it's default in most Linux distros these days.
Or are you looking to run multiple applications inside Tomcat, each as it's own user?