Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 85765 invoked by uid 500); 20 Sep 2001 19:27:31 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk Reply-To: tomcat-user@jakarta.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 85754 invoked from network); 20 Sep 2001 19:27:31 -0000 Message-ID: <00bd01c1420a$4bf38040$46008780@secns.uchicago.edu> From: "Jonathan Eric Miller" To: "Tomcat User List" Subject: Fw: Tomcat security questions Date: Thu, 20 Sep 2001 14:27:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N For some reason this didn't seem to go through the first time... Jon ----- Original Message ----- From: "Jonathan Eric Miller" To: "Tomcat User List" Sent: Wednesday, September 19, 2001 10:11 PM Subject: Tomcat security questions > I'm wondering if anyone has any suggestions on how to best setup Tomcat for > maximum security? Currently, I'm running Tomcat in a chrooted environment. > > I see that there is also a way to run Tomcat as a non-root user. I'm > wondering what the best configuration is. > > It seems like running it chrooted is probably the best way to go. > > Also, I'm wondering how much of an issue buffer overflows are for Tomcat > considering it's written in Java which as far as I know makes them close to > impossible. You would have to basically find an over flow in the JVM, right? > > Any other suggestions on how Tomcat should be configured for security? i.e. > removing sample applications, etc. > > Jon > >