One idea:
I know nothing about the AJP12 protocol but isn't it possible
to generate some random seed (or whatever) while starting
up tomcat, saving it to disk and then when the shutdown request
arrives, it can be matched against both the ip address and
the random seed (acting as a password)?
The running instance has it in memory and the shutdown
script gets the saved copy. With correct permissions this
should prevent others from shutting down Tomcat.
Regards,
Gummi Haf
------------------------------------------
Gudmundur Hafsteinsson - [EMAIL PROTECTED]
Dimon Software - www.dimonsoftware.com
"... 'cause that's what tiggers do the best!" - Tigger
------------------------------------------
"Paulo Gaspar" <[EMAIL PROTECTED]>
06.01.2001 03:05
Please respond to tomcat-dev
To: <[EMAIL PROTECTED]>
cc:
Subject: RE: Tomcat can be shutdown by ANYONE.
AFAIK from answers to similar postings, a Tomcat server accepts as valid
any shutdown request coming from the same machine where it is running.
Remember that the shutdown request is just another request sent trough
sockets. All the server can check is the address it came from.
I think (you should check) that this request is sent to the AJP port
(8007). So, if you use Tomcat standalone, maybe you can just disable
this port by commenting out the AJP12 connector tags in
tomcat/conf/server.xml
But then, even if this works, you will not be able to gracefully
terminate Tomcat anymore - you will always have to kill it (or "break
it").
Have fun,
Paulo Gaspar
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 06, 2001 00:48
> To: [EMAIL PROTECTED]
> Subject: Tomcat can be shutdown by ANYONE.
>
>
> I have tried to run Tomcat 3.2.1 as nobody then on another shell login
as
> my id ( eg barrow ), and run TOMCAT_HOME/bin/shutdown.sh. I can
> successfully bring tomcat.
>
> I also tried to run Tomcat 3.2.1 as root and I can also shutdown Tomcat
> 3.2.1 as my id ( eg. barrow ).
>
> Unless I did my configuration wrong; otherwise, anyone who have access
to
> my Linux box will be above to shutdown Tomcat without any notice..
>
> PS: my id - bhkwan, doesn't have super user privilege. It is just
> a regular
> user account.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
RE: Tomcat can be shutdown by ANYONE.
Dimon - Gudmundur Hafsteinsson Sat, 06 Jan 2001 03:16:00 -0800
- Tomcat can be shutdown by ANYONE. bhkwan
- RE: Tomcat can be shutdown by ANYONE. Paulo Gaspar
- Re: Tomcat can be shutdown by ANYONE. Nick Bauman
- Re: Tomcat can be shutdown by ANYO... Jon Stevens
- Re: Tomcat can be shutdown by ... Nick Bauman
- RE: Tomcat can be shutdown by ANYONE. Dimon - Gudmundur Hafsteinsson
- RE: Tomcat can be shutdown by ANYO... cmanolache
- Re: Tomcat can be shutdown by ... Jon Stevens
- Re: Tomcat can be shutdown... cmanolache
