tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Opinions
Date Fri, 31 Oct 2003 08:30:27 GMT

"Vincent Aumont" <> wrote in message
> François,
> >Oh, and last but not least, I didn't find a privilege separation method
in tomcat (like in apache or ssh or postfix, or...). Perhaps am I wrong,
but, if you want tomcat to run in unpriviledge environment, you have to make
it bind to a public port (say 8080). I use iptables to redirect connections
from 80 to 8080:
> >
> >
> No, you're right.  You can make Apache listen on port 80 while running
> as root because it'll change the process' ownership when it opens a new
> connection. There is no portable way of doing this in Java; therefore,
> you have to run Tomcat as root if you want to make it listen on port 80.
> Of course, that's a major security hole.
> I always front-end TC with Apache and use mod_proxy to achieve what
> you're doing with iptables.

Right and wrong ;-).  Tomcat 5 ships with the (source for) commons-daemon,
which gives Tomcat this same capability on *nix boxes.  Of course,
commons-daemon works with Tomcat 4.1 and Tomcat 3.3 as well (as well as any
other Java programs that need this feature).

> -Vincent.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message