How safe is it to have tomcat listening on port 80
running on a RH6.2, which is on the internet ?
Did anybody face any security problems ever ?
Nokia 5510 looks weird sounds great.
Go to http://uk.promotions.yahoo.com/nokia/ dis
system administration and do some web searches, there's
plenty of information out there.
Hope this helps,
Chris
-Original Message-
From: E B [mailto:[EMAIL PROTECTED]]
Sent: 06 December 2001 09:55
To: Tomcat Users List
Subject: security issue: tomcat on port 80
How safe is it to
.
- Original Message -
From: "Chris Newland" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: 2001. december 6. 12:18
Subject: RE: security issue: tomcat on port 80
> Hi,
>
> There are security implications for running *an
--- Attila Szegedi <[EMAIL PROTECTED]> wrote: >
Java VM actually shields you from buffer overflow
> attacks, since you cannot
> overflow an array, let alone do it so that it
> overwrites code segments. So
> in case of Tomcat (or any Java-written server),
> buffer overflow attacks are
> out of que
Ursprüngliche Nachricht-
> Von: Attila Szegedi [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 6. Dezember 2001 12:57
> An: Tomcat Users List
> Betreff: Re: security issue: tomcat on port 80
> Java VM actually shields you from buffer overflow attacks,
> since you cannot o
> How safe is it to have tomcat listening on port 80
> running on a RH6.2, which is on the internet ?
> Did anybody face any security problems ever ?
>From the conventional point of view, having things run on port 80 has
been dangerous because a proc has to have uid 0 to bind to the port.
Apache
port
and placed behind the firewall. I feel much more secure running Tomcat then
IIS on Win32.
Jim
-Original Message-
From: Dr. Evil [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 06, 2001 1:48 PM
To: [EMAIL PROTECTED]
Subject: Re: security issue: tomcat on port 80
> How safe
See below:
> -Ursprüngliche Nachricht-
> Von: Dr. Evil [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 6. Dezember 2001 20:48
> An: [EMAIL PROTECTED]
> Betreff: Re: security issue: tomcat on port 80
> However, the reason why uid 0 is so dangerous for Apache is beca
> The VM itself is typically writen in C/C++, so I wouldn't beg on more=20
> safety for a VM than Apache.
That's probably true. However, the likelihood of someone being able
to send a web request to Tomcat that will result in Tomcat triggering
a buffer overflow in the VM seems ridiculously small
ult to configure and maintain, that it was
hard to get more security whithout affecting the
ease of use for the daily work.
> -Ursprüngliche Nachricht-
> Von: Dr. Evil [mailto:[EMAIL PROTECTED]]
> Gesendet: Freitag, 7. Dezember 2001 09:20
> An: [EMAIL PROTECTED]
> Betreff: R
Dr. Evil:
Have you tried asking your question in the linux
mailing lists ? What do those guys got to say about
this restriction to bind to ports < 1024 in the
present day server systems?
--- "Dr. Evil" <[EMAIL PROTECTED]> wrote: > > The VM
itself is typically writen in C/C++, so I
> wouldn't b
> Have you tried asking your question in the linux mailing lists ?
> What do those guys got to say about this restriction to bind to
> ports < 1024 in the present day server systems?
I asked once on the OpenBSD list. Those guys are very much
traditionalists so they did not like the idea. Still,
> I asked once on the OpenBSD list. Those guys are
> very much
> traditionalists so they did not like the idea.
> Still, there is no
> longer any rational reason for this restriction. I
> challenge anyone
> to point out a good reason for it. Basically, it
I discussed this on a local LUG. It s
Ok, this subject is getting pretty far from Tomcat, but I'll address this.
> > I asked once on the OpenBSD list. Those guys are very much
> > traditionalists so they did not like the idea. Still, there is no
> > longer any rational reason for this restriction. I challenge
> > anyone to point o
> The past 12 years I worked constantly for companies that had one or
> more unix servers and always only a small number of users had an
> admin=20 account, all other had 'normal' user accounts.
Anyway, can someone explain to me the security benefit of restricting
bind < 1024 to uid 0? At this p
15 matches
Mail list logo
