**How to make Webware run under its own user account ('webware')** Of course, you don't actually "run Webware". You run the AppServer.py daemon in WebKit. The following steps are for UNIX-like operating systems. (Somebody else please add the steps for NT and other OSes.) * Create the user ("useradd webware" or edit /etc/passwd, etc). Since the user shouldn't log in, give them /bin/false for a login shell and no home directory. Change the password in /etc/passwd or /etc/shadow to 'x' or precede it with '!' to prevent them from logging in. The user can be in group 'nogroup', or you can create a 'webware' group if your OS normally has a separate group for each user. * Set the permissions of your Webware/ files according to which files the AppServer must read and/or write while running. The stricter the better (e.g., it must write log files, but it should not write to config files or AppServer.py). Add write permission to any directory it must create files in. * In your startup script, you can use 
 su -c COMMAND webware
to run a command as the webware user. The WebKit/webkit init script already has the appropriate line for this. Uncomment it and comment out the line above it, which runs the app server as root. Both lines are clearly labeled with a preceding comment:: # run as root: $LAUNCH >> $LOG 2>&1 & # run as a user named 'webware': #su -c "$LAUNCH" webware >> $LOG 2>&1 &; -- MikeOrr_ - 02 Nov 2001 -- ChuckEsterbrook_ - 08 Nov 2001 Is it really wise to run AppServer as ``root``? The advice about disabling login shells and home directories is quite important, but how does one set up the ``webware`` user's environment? I have seen nasty cases of shell resource files and moving home directories, which would be avoided here, but how and where should the environment be set up? -- PaulBoddie_ - 08 Nov 2001 Don't forget to make sure that the user you are going to run it as owns all of the webware files and can write new files in the webware directory. so do a:: chown 'webwareuser':'webwaregroup' * -R in the Webware directory (Thanks to Jay Love) -- MattFeifarek_ - 14 Feb 2002 That's a bit dangerous! The user running WebKit should only have write access to those directories that it absolutely must be able to write to: Webware/WebKit/Cache, Webware/WebKit/Logs, Webware/WebKit/Sessions. It will also need write access to Webware/WebKit so that appserverpid.txt and address.txt can be written (this is really the wrong place for these, IMHO). The webware user should NOT own those directories, but should be given write permission. -- TavisRudd_ - 01 Mar 2002 And if you use the highly-recommended MakeAppWorkDir_, you don't need to write anything into the Webware directories. You will have to make some of the directories in your working dir writeable though. -- GeoffTalvola_ - 04 Mar 2002 The trick with ``/bin/false`` as the user's login shell didn't seem to work for me on a recent Red Hat Linux. Doing an ``su -c`` didn't cause the command to be executed. -- PaulBoddie_ - 25 Mar 2002