tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wesley Acheson <wesley.ache...@gmail.com>
Subject Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Date Wed, 01 Dec 2010 21:06:15 GMT
Can someone explain to me why logging as the tomcat user is a security risk?

I don't like that behaviour but then again I don't understand it.

Regards,

Wesley Acheson

On Wed, Dec 1, 2010 at 6:41 PM, Mladen Turk <mturk@apache.org> wrote:
> On 12/01/2010 11:55 AM, Gregor Schneider wrote:
>>>
>> Sure, since Apache is usually started within root-context ("sbin") -
>> so that does make sense.
>>
>
> Right but it drops the user to apache if instructed to do so.
> Even then logs are root owned, and this is security
> precaution (like with jsvc)
>
>>
>> And if you take a look into /var/logs, you can see exactly, that the
>> logs inside this directory partly don't belong to root as long as they
>> are not run within a root-context.
>>
>> A good example ist mysql:
>>
>
> This is not good example. mysql doesn't need to run
> on privileged port, and if your tomcat doesn't need to
> run on port 80, and you don't wish to secure your
> installation why using jsvc at the first place?
>
>
> Regards
> --
> ^TM
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message