"Vincent Aumont" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > François, > > > >Oh, and last but not least, I didn't find a privilege separation method in tomcat (like in apache or ssh or postfix, or...). Perhaps am I wrong, but, if you want tomcat to run in unpriviledge environment, you have to make it bind to a public port (say 8080). I use iptables to redirect connections from 80 to 8080: > > > > > No, you're right. You can make Apache listen on port 80 while running > as root because it'll change the process' ownership when it opens a new > connection. There is no portable way of doing this in Java; therefore, > you have to run Tomcat as root if you want to make it listen on port 80. > Of course, that's a major security hole. > I always front-end TC with Apache and use mod_proxy to achieve what > you're doing with iptables. >
Right and wrong ;-). Tomcat 5 ships with the (source for) commons-daemon, which gives Tomcat this same capability on *nix boxes. Of course, commons-daemon works with Tomcat 4.1 and Tomcat 3.3 as well (as well as any other Java programs that need this feature). > -Vincent. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
