I can't say. Why? The set of possibilities are infinite. This is a basic prinicipal of unix security. Never run any daemon as root. I for one always create a special user for tomcat. That way if tomcat is compromized, only that which tomcat owns or can write to is compromized. I usually create a special group as well and don't let tomcat own anything.
Asking what are all the security holes is the wrong question. Read: http://www.tldp.org/HOWTO/Security-HOWTO/index.html - while it is aimed at linux, some applies universally to other unicies as well. Do you absolutely trust: 1. tomcat to never have a security hole 2. cocoon to never have a security hole 3. all applications (servlets/etc) running under Cocoon/tomcat to never have security holes. 4. if the answer to any of the above is no, then do you trust EVERY user on the network (for example the internet) to never ever do anything to try and exploit that. An example: Say you have a servlet/xsp/action/whatever that based on the passed in username writes an new file in /opt/tomcat/userinfo as to when the user logged in/etc with the username as the filename. You have two parameters, username and the message. The servlet/xsp/action/whatever gets executed on occassion as a service. Usernames are permitted to have web-address-illegal characters in them so you url-encode them. The message is anything. So I being a savy hacker set my username to ../../../etc/passwd and the log message to "andy:ptpasswd:...." (can't rembmer the syntax but you get the point). Well thanks for root access, I'll just telnet (DISABLE TELNET and use SSH) into your box and format the hard drive or use it to hack into the military or crash yahoo with flood attacks or something... Those nice men in the black suits will be at your door shortly to question you about your internet usage... Okay...a bit of an exaggeration... Don't run tomcat (or anything else where you have a choice) as root. -Andy Thomas Garger wrote: >why not? >could there be some security problems? which one? > >greetings, chris > >-----Original Message----- >From: Andrew C. Oliver [mailto:[EMAIL PROTECTED]] >Sent: Donnerstag, 04. Juli 2002 18:33 >To: [EMAIL PROTECTED] >Subject: Re: can't start cocoon under root > > >just for the record. You really shouldn't run tomcat as root. > >Thomas Garger wrote: > > > >>hi! >> >>i use tomcat 4.0.1, cocoon 2.0.2 and SUSE linux 8.0 >> >>if i start tomcat under a normal user (not root) everthing works fine. >> >>but if i start tomcat under root user - and i want to access cocoon >> >>->there is an error message in my catalin.out like this: >>Xlib: connection to "212.186.159.80:0.0" refused by server >>Xlib: No protocol specified >> >>->the cocoon page puts out the following >>org.apache.cocoon.ProcessingException: Error compiling sitemap: >>java.lang.InternalError: Can't connect to X11 window server using >>':0.0' as the value of the DISPLAY variable. . >>. >>. >> >>->my startup.sh looks as following : >>export DISPLAY=212.186.159.80:0 >>BASEDIR=`dirname $0` >>$BASEDIR/catalina.sh start "$@" >> >>if i don't put in the line "export DISPLAY=212.186.159.80:0", than >>under a normal user it's also not working >> >>why this works with a non root user and not with root? >> >>greetings, tom >> >> >>--------------------------------------------------------------------- >>Please check that your question has not already been answered in the >>FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> >> >>To unsubscribe, e-mail: <[EMAIL PROTECTED]> >>For additional commands, e-mail: <[EMAIL PROTECTED]> >> >> >> >> >> >> > > > > >--------------------------------------------------------------------- >Please check that your question has not already been answered in the >FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> > >To unsubscribe, e-mail: <[EMAIL PROTECTED]> >For additional commands, e-mail: <[EMAIL PROTECTED]> > > > >--------------------------------------------------------------------- >Please check that your question has not already been answered in the >FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> > >To unsubscribe, e-mail: <[EMAIL PROTECTED]> >For additional commands, e-mail: <[EMAIL PROTECTED]> > > > > --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>
