tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Protecting static resources in IIS
Date Tue, 02 Nov 2010 18:47:54 GMT
> From: Richard G Curry [mailto:rgcurry@jcpenney.com] 
> Subject: RE: Protecting static resources in IIS

> > > > From: Rob Gregory [mailto:Rob.Gregory@ibsolutions.com]
> > > > Subject: RE: Protecting static resources in IIS

> > > > Would that then result in having to run Tomcat/Apache/IIS as 
> > > > root/system rather than a restricted user?

> > > Yes. 

> > That sounds like a really bad idea.

> How so? What am I missing?

Basic security philosophy, known as the principle of least privilege.  Running as root/system
is like walking around with a "kick me" sign; just wait till the hackers break into your IIS
box running that way...

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message