tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Li <ampyx...@gmail.com>
Subject Re: Servlet that needs ROOT access
Date Tue, 01 Aug 2006 11:29:37 GMT
Hi Paul,

If you use root to run, which means tomcat can access anywhere as your
root can do
upload a simple script (if you application has that function can crash
your system),

if you create a specific user and group, and define permission nicely,
this specific user can only do specific thing as you dont need change
most of other user and group's permission

besides, you can ensure your tomcat by :
1. start it using "catalina.sh" with security manager, this would be
more strict and you have to define your policy well otherwise your
webapp will not even work
2. block certain hosts (assume you know some ip addresses or range
always trying to break into system...) put them into /etc/hosts.deny
3. only open ports that you need,
4. use firewall
5, ....

To make your tomcat secure is not just on tomcat itself but have to
consider OS wide.


Just Opinion, wish could help

Regards

Li

On 8/1/06, Paul McMahon <pmcmahon@software.plasmon.com> wrote:
> Yes I meant as root user in Linux, not the ROOT webapp.
>
> I could try giving tomcat user root group access; this is also potentially a
> security hole though?
>
> On Tuesday 01 August 2006 12:14, you wrote:
> > It is possible to run as non root (assume the "root" here is "root"
> > for Unix/Linux?)
> > you can create a specific user say "tomcat" but still assign with
> > group root, or you can create group "tomcat", make sure your jdk is
> > accessible by the tomcat user and or group
> >
> > Is you mean the root application in tomcat, yes you can, simply copy
> > your web app structure (index.*, WEB-INF .... ) into root, or you can
> > modify the server.xml baseDoc pointing to / but not webapps, so when
> > you type xxx.xxx.xxx.xxx:8080, it will start up your application ....
> >
> > Not sure whether it is what you are asking..
> >
> > On 8/1/06, Paul McMahon <pmcmahon@software.plasmon.com> wrote:
> > > Is it possible to run Tomcat as non ROOT (desirable as I see from
> > > FAQs/other threads), but have a servlet that needs ROOT access?
> > >
> > > Or is the solution to have the servlet application code running as a
> > > separate daemon outside tomcat, with some form of comms to tomcat servlet
> > > when tasks need to be done?
> > >
> > >
> > > -Paul
> > >
> > > ---------------------------------------------------------------------
> > > To start a new topic, e-mail: users@tomcat.apache.org
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
> -Paul McMahon
> -01763 261 466 ext 569
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
When we invent time, we invent death.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message