Hyland Connect

ebogaard · ‎03-21-2011

For safety reasons, it's allways recommended to run applications as a different user than root.
Because I use Apache as a reverse proxy in front of Alfresco, I was wondering how important it is to run Alfresco as another user than root?

If it still is important, I home someone can give me a few pointers. I can't find anyhing in the documentation or on the forum.

I'm using Alfresco 3.4.d on Centos 5

mrogers · ‎03-21-2011

Well I've answered several forum threads on this subject.

Whether you run as root or another user is up to you. I would tend to go with a separate account.
Depending on your OS you may need to map your port numbers below 1000. Other than that its just a case of making sure you consistently run alfresco with a user that has access to the content store.

ebogaard · ‎03-21-2011

Thanks for your answer.
Searched your posts, but could only find one. In that post you only mention that another user cannot bind to ports <1024. But this isn't really an answer to my question.

As I use Apache as reverse proxy in front of Alfresco, I can just rewrite the Tomcat port (8080) via ajp tot https. So, no problems there.
Because Apache is the frontend, I think my question still stands: is it still advisable to run Alfresco (with Apahce as front-end) as another user than root?

If so: how can I run Alfresco as non-root? Can't find anything about that.

Thanks!

ebogaard · ‎03-24-2011

Still hoping that anyone can help me with this 🙂

dranakan · ‎03-31-2011

Hello,

Here are the procedure to run Alfresco/Mysql with user alfresco. A installation is done in /opt/Alfresco with Alfresco 3.4d on RHEL5.

Do as root (su -).

0) Check Alfresco is ok
Check the Alfresco installation, CIFS, …if all is ok. Stop it.

1) Creation user alfresco and permission on the directory

useradd alfresco
chown -R alfresco:alfresco /opt/Alfresco‍‍

2) Services launch as alfresco
Modify /etc/rc.d/init.d/alfresco (using su - alfresco -c …

   #!/bin/sh
   #
   # chkconfig: 2345 80 30
   # description: Alfresco Community
   #
   
   RETVAL=0
   
   start () {
       su - alfresco -c "/opt/Alfresco/alfresco.sh start $2"
       RETVAL=$?
       if [ -d "/var/lock/subsys" ] && [ `id -u` = 0 ] && [ $RETVAL -eq 0 ] ; then
           touch /var/lock/subsys/alfresco
       fi
   
   }
   
   stop () {
       su - alfresco -c "/opt/Alfresco/alfresco.sh stop $2"
       RETVAL=$?
   }
   case "$1" in
       start)
           start "$@"
           ;;
       stop)
           stop "$@"
           ;;
       restart)
           stop "$@"
           start "$@"
           ;;
       *)
           su - alfresco -c "/opt/Alfresco/alfresco.sh $@"
           RETVAL=$?
   esac
   exit $RETVAL
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

3) Forward ports

   echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe iptable_nat
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp –dport 445 -j REDIRECT –to-ports 1445
/sbin/iptables -t nat -A PREROUTING -p tcp –dport 139 -j REDIRECT –to-ports 1139
/sbin/iptables -t nat -A PREROUTING -p udp –dport 137 -j REDIRECT –to-ports 1137
/sbin/iptables -t nat -A PREROUTING -p udp –dport 138 -j REDIRECT –to-ports 1138
/sbin/iptables -t nat -A PREROUTING -p tcp –dport 21 -j REDIRECT –to-ports 1024
/etc/init.d/network restart‍‍‍‍‍‍‍‍‍‍‍‍

Apply for next reboot :

service iptables save
‍‍

4) Configure Alfresco using other ports
Add/Change : /opt/Alfresco/tomcat/shared/classes/alfresco-global.properties


   cifs.enabled=true
   cifs.ServerName=${localname}
   cifs.domain=Office
   cifs.hostanounce=true
   
   cifs.broadcast=0.0.0.0
   cifs.tcpipSMB.port=1445
   cifs.ipv6.enabled=false
   cifs.netBIOSSMB.namePort=1137
   cifs.netBIOSSMB.datagramPort=1138
   cifs.netBIOSSMB.sessionPort=1139
   
   # Change ftp port…
   ftp.port=1024
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

5) Start Alfresco

service alfresco start‍

6) Check
Use the command "top" or "ps aux" to see the process in running. User must be alfresco with Mysql and Java
See the /opt/Alfresco/tomcat/logs/catalina.out if the is no problem
Check the CIFS
…

Hope it helps…

hiten_rastogi1 · ‎11-15-2017

Hi Dranakan,

I tried your solution but it seems that there is an issue with the postgresql database when we start the alfresco.

I am getting the below exception when I try to start the alfresco as a service

2017-11-15 13:10:00,166 WARN [hibernate.cfg.SettingsFactory] [localhost-startStop-1] Could not obtain connection metadata
org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (FATAL: semctl(10715157, 11, SETVAL, 0) failed: Invalid argument)
at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1549)
at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1388)
at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:1044)
at org.springframework.orm.hibernate3.LocalDataSourceConnectionProvider.getConnection(LocalDataSourceConnectionProvider.java:83)
at org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:84)
at org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2079)
at org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1304)
at org.springframework.orm.hibernate3.LocalSessionFactoryBean.newSessionFactory(LocalSessionFactoryBean.java:863)
at org.springframework.orm.hibernate3.LocalSessionFactoryBean.buildSessionFactory(LocalSessionFactoryBean.java:782)

Please let me know how to overcome the issue.

ebogaard · ‎04-01-2011

I actually only didn't figure out that I needed to pass a "-" to su. So, thanks for that!
It's nice to see that OpenOffice starts as alfresco as well.

Hyland Connect

Run Alfresco as non-root