tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: running tomcat6 under a different user than root (debian)
Date Fri, 29 Oct 2010 13:34:29 GMT
On 29/10/2010 14:18, Darryl Lewis wrote:
> Encrypt the username and passwords using Realm configuration.

Realms have nothing to do with the usernames and passwords used to
connect to databases defined via <Resource> tags.

> You should always assume there is the possibility that a user will get
> access to the system via a badly written program. Whilst they might get some
> system access, you should make it as difficult as possible for them to jump
> to the next box.

If Tomcat has access to a database and the attacker has access to a
shell prompt (or similar) with the same privileges as Tomcat then the
attacker has access to the database and there is absolutely nothing you
can do to prevent that.

> If you give read access on server.xml only to root user,

No-one is suggesting that. Go read what Pid wrote again.

> Tomcat is started with root privileges, which is really bad.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message