tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikola Milutinovic <>
Subject Re: Systems Architecture Pros and Cons
Date Thu, 13 Oct 2005 09:07:57 GMT
Peter Johnson wrote:

> It is possible for Apache to be compromised without Tomcat being 
> compromised e.g. an overflow in Apache. So if Apache (or other service 
> on the front box) is compromised and the systems are tiered then the 
> intruder can only impersonate local actions. If all tiers reside on 
> the same server then by compromising Apache or Tomcat the intruder can 
> effectively impersonate as either tier.

Well, it is not as easy as it may sound. Both TC and Apache run under 
unprivileged users. Apache is started by root, but will drop to "apache" 
or "http" user as soon as it has bound itself to port 80 (which requires 
root). So, compromising Apache leads to someone controlling a process 
with Apache privileges. That *is* a starting point to further compromise 
the system, but doesn't automatically open TC to the intruder. If the 
intruder can easily compromize "tomcat" user, then most likely it can 
compromize "root", too.

Of course, having a rogue apache process on a box that has no other 
service makes it easier to isolate the attacker, which is a good option. 
Providing you know what to do, once you've realized the compromize took 

 From the security point of view this "reverse" approach is actually 
good. Ask yourself, "what am I supposed to do, if the Apache gets 
compromized?". When you answer that question, you will have a clearer 
picture of the prefered system architecture. Also, ask yourself, " what 
is the system supposed to do? How should it perform?" and you will have 
even clearer picture.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message