tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kitching Simon <Simon.Kitch...@orange.ch>
Subject RE: Who should install Tomcat on Solaris? root?
Date Fri, 06 Oct 2000 08:08:33 GMT
Hi,

Just to expand a little on Andreas' answer..

When you say "it runs on 8007" I presume that you
mean you are using apache as a front-end. That's
fine, that's one of the ways that tomcat is meant
to be used though not the only one.

In this situation, you are correct to say that it
can be run as any user, and as Andreas suggested
you *really* should run it as a non-root-user.  Imagine
for example that there is a buffer-overflow or other
bug in apache that can be used to remotely create 
a .jsp file in the webserver. If this .jsp file contains
code to do something like "insert a row into the 
/etc/passwd file" and you are *running* tomcat as 
root, then its party time!!!

You did ask which user to "install" tomcat as, which
is a slightly different question, but I presume you mean
run as. In fact, it probably is best to *install* tomcat as
root (ie have the jar files etc. owned by root) and give the
user you *run* tomcat as only read access to these files.
That way, the tomcat files can't be replaced with hacked
versions. However, that is taking security to extreme
levels; it is unlikely that a hacker can get that far into the
system without having worse things they could do...

Cheers,

Simon

> -----Original Message-----
> From:	Stubenrauch,Andreas [SMTP:mex02@erv.de]
> Sent:	Friday, October 06, 2000 9:15 AM
> To:	'tomcat-user@jakarta.apache.org'
> Subject:	RE: Who should install Tomcat on Solaris?  root?
> 
> You are right anyone will do.I would recommend a sperate (ordinary or less
> privileged) useraccount for security reasons.
> 
> Regards,
> Andreas
> 
> > -----Original Message-----
> > From: Hosegood, Chris W (EDU) [mailto:CHosegood@edu.gov.mb.ca]
> > Sent: Thursday, October 05, 2000 9:28 PM
> > To: 'tomcat-user@jakarta.apache.org'
> > Subject: Who should install Tomcat on Solaris? root?
> > 
> > 
> > Sorry for the newbie question but:
> >   What user should install Tomcat on unix?  My understanding 
> > is that since
> > it runs on port 8007 any user should be able to install it.
> > 
> > What are the advantages / disadvantages to installing it as 
> > root / user?
> > Does it really matter?
> > 
> > Chris Hosegood
> > chosegood@edu.gov.mb.ca
> > Programmer/Analyst
> > MIS, Manitoba Education & Training
> > 204.945.2535
> > 

Mime
View raw message