tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <>
Subject Tomcat Nobody
Date Fri, 29 Mar 2002 12:41:34 GMT
Hi all,

I have two cosiderations about your Tomcat-nodody advices:

1) There is no tomcat4.conf in conf directory.

2) Your advice is to do 
   - chown nobody:nobody /usr/local/tomcat1
   - su -l -c /usr/local/tomcat1/bin/

There is a big problem with this procedure, in my opinion: the problem 
is a security problem. We know that Apache runs as nobody, but the 
directories are root:root. The father process forks child processes 
which are nobody, so if someone tries to execute a cgi, this has no 
privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1", 
all directories are nobody, so anyone can write e do everything.

I'd like starting tomcat as apache, with the same security policy.

Is it possible?

What do you think?

Thanks for your help

View raw message