tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amit Agarwal <ami....@gmail.com>
Subject Re: How to change effective user id on Windows
Date Fri, 08 Jan 2010 07:49:36 GMT
HOw do we start TOmcat programatically using Bootstrap.start() API if we
need to pass the user ?

On Thu, Jan 7, 2010 at 8:30 PM, Peter Crowther
<peter.crowther@melandra.com>wrote:

> 2010/1/7 Looijmans, Mike <mike.looijmans@oce.com>:
> > The current configuration is correct in terms of security - the 'SYSTEM'
> > user is a limited account that has no access to the desktop nor shared
> > network resources.
>
> Sorry to pick you up on this one, Mike, but I think you're thinking of
> Local*Service*, not Local*System*.  LocalSystem has full
> administrative access to the local computer, including (for example)
> being able to write a rogue DLL to a spare directory, then amend the
> registry so that that DLL is loaded by every process that runs on the
> machine from this point onwards.  Or create a new local account that
> *does* have desktop access and spawn a process running as that user.
> If you can compromise LocalSystem, you've got the machine.
>
> Windows' LocalSystem is very, very close to Unix's root.  If you want
> a non-privileged account, use LocalService not LocalSystem.  See, for
> example
> http://blogs.msdn.com/jmanning/archive/2008/04/06/localsystem-root-localservice-nobody.aspx
>
> - Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 

Sent from Karnataka, India

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message