tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darryl Lewis <darryl.le...@unsw.edu.au>
Subject Re: running tomcat6 under a different user than root (debian)
Date Fri, 29 Oct 2010 13:18:39 GMT
Encrypt the username and passwords using Realm configuration.

You should always assume there is the possibility that a user will get
access to the system via a badly written program. Whilst they might get some
system access, you should make it as difficult as possible for them to jump
to the next box.

If you give read access on server.xml only to root user, it requires that
Tomcat is started with root privileges, which is really bad. If a person
gets access, they automatically get root privildges.
Then entire idea is to make it difficult for a person to get very far
quickly.
If you run TC as a non-root user, even if they crack the app to get system
access, they still have to go further to get root.


On 29/10/10 10:42 PM, "Pid" <pid@pidster.com> wrote:

> On 29/10/2010 12:03, Darryl Lewis wrote:
>> No one should, but I had a supplier recommend to run their application as
>> root. All their scripts and configuration instructions were for running as
>> root.
>> Needless to say I didn't run it as that and rewrote their installation
>> scripts.
>> Now I have to try and convince them that storing the database connection
>> username and passwords in plaintext are a bad idea...
> 
> What is the alternative?
> 
> If the config files containing that information are only readable by the
> user running Tomcat, and that user doesn't have login access - assuming
> you're using the service wrapper script to start up, then the
> information is protected, no?
> 
> 
> p


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message