Very interesting. I hadn't investigated this scenario until now. I like your suggestion.
John > -----Original Message----- > From: Przemyslaw Wegrzyn [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 06, 2002 2:20 PM > To: Tomcat Users List > Subject: RE: Tomcat shutdown & security > > > On Fri, 2002-09-06 at 14:40, Shapira, Yoav wrote: > > Hi, > > How about not letting any regular user execute > bin/shutdown.sh? ;) ;) ;) > > Nope, it's not the solution. > > Anyone can download tomcat, extract shutdown.sh and execute. > Shutdown connects to Tomcat through a socket, so it's even possible > across the net. > > After briefly reviewing Tomcat installation I think the best > solution is > to change shutdown attribute in > > <Server className="org.apache.catalina.core.StandardServer" > port="8005" > debug="0" shutdown="SHUTDOWN"> > > to some other string, acting as password, and then chmod og-rx > server.xml. > > Any comments ? > > -=Czaj-nick=- > > > > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>