What I think you need to consider is the risk of running TC in this manner dependant on where and what the TC instance is being deployed for.
The risk MAY be acceptable if you are intending on running a TC instance internally on an intranet or something similar, as then you only have to worry about internal threats to its operation. (Considering that your external defenses [if you have an external access point] are up to the task of keeping attackers out from the outside) But lets not forget that a large proportion of attacks do come internally. If you are running this TC in an internet facing environment it is generally considered good practice to have a proxy of some sort for the TC instance in an DMZ and have the TC running behind the DMZ protected (hopefully) from most attacks. Putting an application server into the DMZ is generally considered a bad practice due to the impact that can be had should an attacker compromise it (of course dependant on the relative risk of having it there). Also you need to consider what exactly this TC is doing, and what risk is posed by its operation being modifed/destroyed by an attacker and what the impact of such a event could be. Once you know your risk on running it this way then you can decide whether this configuration is "safe" for you or not. Of course you should always aim to reduce your risk (and the exposure caused by the risk) but balanced against the costs of implementing and maintaining a highly secure system. If you have system admins and whatnot for your production server then they should know alot about this already and can help you out deciding what to do. Regards, Shane. -----Original Message----- From: Justin Jaynes [mailto:[EMAIL PROTECTED] Sent: Thursday, 27 May 2004 2:46 PM To: [EMAIL PROTECTED] Subject: standalone production? Is it considered safe to run tomcat as a stand-alone production server on ports 80 and 443? This requires tomcat to run as root (or so I have read) and it is therefore "not recommended". Using apache forks child processes that run as nobody. But I don' want to use apache. Again, is it safe to run tomcat as a stand-alone production server on port 80 and 443 as root? Or is there some way to deny root permissions and still use these ports? __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
