RE: security issue: tomcat on port 80

[Chris Newland]

Hi,

There are security implications for running *any* server process on *any*
port that is accessible by the public internet.

To run a server on UNIX/Linux on a port number of less than 1024 requires
root privileges. I would strongly recommend you do *NOT* run Tomcat as the
root user since if the server was compromised (by a buffer overflow attack
for instance) then the attacker would have root access to the entire
machine.

I personally run Tomcat behind an Apache web server (which runs on port 80
on a restricted user account) and use mod_webapp to connect the two.

Get a book on UNIX system administration and do some web searches, there's
plenty of information out there.

Hope this helps,

Chris

-Original Message-
From: E B [mailto:[EMAIL PROTECTED]]
Sent: 06 December 2001 09:55
To: Tomcat Users List
Subject: security issue: tomcat on port 80


How safe is it to have tomcat listening on port 80
running on a RH6.2, which  is on the internet ?
Did anybody face any security problems ever ?




Nokia 5510 looks weird sounds great.
Go to http://uk.promotions.yahoo.com/nokia/ discover and win it!
The competition ends 16 th of December 2001.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 



--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: security issue: tomcat on port 80

[Attila Szegedi]

Java VM actually shields you from buffer overflow attacks, since you cannot
overflow an array, let alone do it so that it overwrites code segments. So
in case of Tomcat (or any Java-written server), buffer overflow attacks are
out of question. Other attacks are still possible, though.

Attila.

- Original Message -
From: "Chris Newland" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: 2001. december 6. 12:18
Subject: RE: security issue: tomcat on port 80


> Hi,
>
> There are security implications for running *any* server process on *any*
> port that is accessible by the public internet.
>
> To run a server on UNIX/Linux on a port number of less than 1024 requires
> root privileges. I would strongly recommend you do *NOT* run Tomcat as the
> root user since if the server was compromised (by a buffer overflow attack
> for instance) then the attacker would have root access to the entire
> machine.
>
> I personally run Tomcat behind an Apache web server (which runs on port 80
> on a restricted user account) and use mod_webapp to connect the two.
>
> Get a book on UNIX system administration and do some web searches, there's
> plenty of information out there.
>
> Hope this helps,
>
> Chris
>




smime.p7s
Description: application/pkcs7-signature

Re: security issue: tomcat on port 80

[E B]

 --- Attila Szegedi <[EMAIL PROTECTED]> wrote: >
Java VM actually shields you from buffer overflow
> attacks, since you cannot
> overflow an array, let alone do it so that it
> overwrites code segments. So
> in case of Tomcat (or any Java-written server),
> buffer overflow attacks are
> out of question. Other attacks are still possible,
> though.
> 

Can u list some of the other attacks ?


Nokia 5510 looks weird sounds great. 
Go to http://uk.promotions.yahoo.com/nokia/ discover and win it! 
The competition ends 16 th of December 2001.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: security issue: tomcat on port 80

[Dr. Evil]

> How safe is it to have tomcat listening on port 80
> running on a RH6.2, which  is on the internet ?
> Did anybody face any security problems ever ?

>From the conventional point of view, having things run on port 80 has
been dangerous because a proc has to have uid 0 to bind to the port.
Apache is regarded as safe because the code drops root ASAP and si
thoroughly tested and audited.  Tomcat is not regarded as safe because
it can't drop uid 0.

However, the reason why uid 0 is so dangerous for Apache is because
it's written in C.  Buffer overlflows are almost inevitable in a
language like C, with its direct memory access and unsafe pointers.
Java bytecode doesn't have any of those problems.  It can't manipulate
memory or pointers ever.  It is much much safer than C will ever be.
So I think running Tomcat on port 80 should be fine.

An even better solution would be to recompile your kernel so that you
don't need uid 0 to bind to port 80.  I still can't figure out why
they have that dumb restriction that you must have uid 0 to bind ports
< 1024.  That's just stupid and it causes far more security problems
than it solves today.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

RE: security issue: tomcat on port 80

[Jim Urban]

I run Tomcat on port 80 on my Win32 servers (NT and 2K).  I have watched the
Windows viruses attack Tomcat with no impact.  The one server running IIS
(required for our time keeping software) got nailed by a virus within a week
of being setup.  That server has since had IIS pointed to a different port
and placed behind the firewall.  I feel much more secure running Tomcat then
IIS on Win32.

Jim

-Original Message-
From: Dr. Evil [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 06, 2001 1:48 PM
To: [EMAIL PROTECTED]
Subject: Re: security issue: tomcat on port 80


> How safe is it to have tomcat listening on port 80
> running on a RH6.2, which  is on the internet ?
> Did anybody face any security problems ever ?

>From the conventional point of view, having things run on port 80 has
been dangerous because a proc has to have uid 0 to bind to the port.
Apache is regarded as safe because the code drops root ASAP and si
thoroughly tested and audited.  Tomcat is not regarded as safe because
it can't drop uid 0.

However, the reason why uid 0 is so dangerous for Apache is because
it's written in C.  Buffer overlflows are almost inevitable in a
language like C, with its direct memory access and unsafe pointers.
Java bytecode doesn't have any of those problems.  It can't manipulate
memory or pointers ever.  It is much much safer than C will ever be.
So I think running Tomcat on port 80 should be fine.

An even better solution would be to recompile your kernel so that you
don't need uid 0 to bind to port 80.  I still can't figure out why
they have that dumb restriction that you must have uid 0 to bind ports
< 1024.  That's just stupid and it causes far more security problems
than it solves today.

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>