I run Tomcat on port 80 on my Win32 servers (NT and 2K). I have watched the Windows viruses attack Tomcat with no impact. The one server running IIS (required for our time keeping software) got nailed by a virus within a week of being setup. That server has since had IIS pointed to a different port and placed behind the firewall. I feel much more secure running Tomcat then IIS on Win32.
Jim -----Original Message----- From: Dr. Evil [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 1:48 PM To: [EMAIL PROTECTED] Subject: Re: security issue: tomcat on port 80 > How safe is it to have tomcat listening on port 80 > running on a RH6.2, which is on the internet ? > Did anybody face any security problems ever ? >From the conventional point of view, having things run on port 80 has been dangerous because a proc has to have uid 0 to bind to the port. Apache is regarded as safe because the code drops root ASAP and si thoroughly tested and audited. Tomcat is not regarded as safe because it can't drop uid 0. However, the reason why uid 0 is so dangerous for Apache is because it's written in C. Buffer overlflows are almost inevitable in a language like C, with its direct memory access and unsafe pointers. Java bytecode doesn't have any of those problems. It can't manipulate memory or pointers ever. It is much much safer than C will ever be. So I think running Tomcat on port 80 should be fine. An even better solution would be to recompile your kernel so that you don't need uid 0 to bind to port 80. I still can't figure out why they have that dumb restriction that you must have uid 0 to bind ports < 1024. That's just stupid and it causes far more security problems than it solves today. -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
