tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Turner <tomcat-u...@johnturner.com>
Subject Re: Running Tomcat as Non-Root
Date Fri, 18 Jul 2003 21:07:39 GMT
On Fri, 18 Jul 2003 17:01:46 -0400, Lukas Bradley <lukas@somnia.com> wrote:
>
> Why don't particular flavors of the OS allow for < 1024 to be non-root?
>
> Lukas

Because then ANYONE with a user account could bind a service to those 
ports.  Then, to protect your server and your users, your only recourse 
would be to prevent any user accounts on the server EXCEPT root (because 
you couldn't trust anyone else), which would completely defeat the whole 
purpose of a MULTI-USER system.

Sure, its a GREAT idea to let ANYONE bind a homegrown version of sshd to 
port 22, that does nothing but log user accounts and passwords from people 
trying to login, but instead of doing anything else simply returns an 
innocuous message like "server's key is invalid" or something like that.  
Ditto a home-grown version of Apache.  If you're the sys-admin, how would 
be able to trust the version of httpd that was on your system?  How would 
you know it didn't have a trojan or something?  You wouldn't, because 
anyone would be able to bind a service called "httpd" to port 80.

Think about it.

John



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message