Return-Path: <Simon.Kitching@orange.ch>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 8034 invoked from network); 6 Oct 2000 08:09:02 -0000
Received: from unknown (HELO vdcrexc1.orange.ch) (212.215.1.70)
  by locus.apache.org with SMTP; 6 Oct 2000 08:09:02 -0000
Received: by vdcrexc1.orange.ch with Internet Mail Service (5.5.2650.21)
	id <4KDKYVZ9>; Fri, 6 Oct 2000 10:08:34 +0200
Message-ID: <2B26E094BB13D3118FB3006008214FA5F06F88@vdlaexc0.orange.ch>
From: Kitching Simon <Simon.Kitching@orange.ch>
To: "'tomcat-user@jakarta.apache.org'" <tomcat-user@jakarta.apache.org>
Subject: RE: Who should install Tomcat on Solaris?  root?
Date: Fri, 6 Oct 2000 10:08:33 +0200 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Hi,

Just to expand a little on Andreas' answer..

When you say "it runs on 8007" I presume that you
mean you are using apache as a front-end. That's
fine, that's one of the ways that tomcat is meant
to be used though not the only one.

In this situation, you are correct to say that it
can be run as any user, and as Andreas suggested
you *really* should run it as a non-root-user.  Imagine
for example that there is a buffer-overflow or other
bug in apache that can be used to remotely create 
a .jsp file in the webserver. If this .jsp file contains
code to do something like "insert a row into the 
/etc/passwd file" and you are *running* tomcat as 
root, then its party time!!!

You did ask which user to "install" tomcat as, which
is a slightly different question, but I presume you mean
run as. In fact, it probably is best to *install* tomcat as
root (ie have the jar files etc. owned by root) and give the
user you *run* tomcat as only read access to these files.
That way, the tomcat files can't be replaced with hacked
versions. However, that is taking security to extreme
levels; it is unlikely that a hacker can get that far into the
system without having worse things they could do...

Cheers,

Simon

> -----Original Message-----
> From:	Stubenrauch,Andreas [SMTP:mex02@erv.de]
> Sent:	Friday, October 06, 2000 9:15 AM
> To:	'tomcat-user@jakarta.apache.org'
> Subject:	RE: Who should install Tomcat on Solaris?  root?
> 
> You are right anyone will do.I would recommend a sperate (ordinary or less
> privileged) useraccount for security reasons.
> 
> Regards,
> Andreas
> 
> > -----Original Message-----
> > From: Hosegood, Chris W (EDU) [mailto:CHosegood@edu.gov.mb.ca]
> > Sent: Thursday, October 05, 2000 9:28 PM
> > To: 'tomcat-user@jakarta.apache.org'
> > Subject: Who should install Tomcat on Solaris? root?
> > 
> > 
> > Sorry for the newbie question but:
> >   What user should install Tomcat on unix?  My understanding 
> > is that since
> > it runs on port 8007 any user should be able to install it.
> > 
> > What are the advantages / disadvantages to installing it as 
> > root / user?
> > Does it really matter?
> > 
> > Chris Hosegood
> > chosegood@edu.gov.mb.ca
> > Programmer/Analyst
> > MIS, Manitoba Education & Training
> > 204.945.2535
> >