"Sanjaya Singharage" <[EMAIL PROTECTED]> 05.12.2002 10:33 Please respond to "Tomcat Users List"
To: [EMAIL PROTECTED] cc: Subject: Why run tomcat as root with respect to security what is the best way to run tomcat on linux? I am running tomcat3.2.3 with apache1.3.26 and mod_jk 1. Run as root? 2. Run as nobody? 3.Run as other user (eg. tomcat)? why is running tomcat as a certain user more secure than running it as others? For starters if you want to use privileged ports (port<1024) you must be root. If you for example want tomcat to listen on ports 80 (HTTP default port) or 443 (HTTPS default ports) you must start tomcat as ROOT. Theoretically of course you can run tomact as user "nobody" but you will not be able to use ports<1024. If you use non privileged ports you will have to live with the annoyance of every one who wants to access your server having to suffix the port number to the url (http://www.|someurl|.org:8080/) with a privileged default port like 80 (HTTP) all you have to do is type the URL (http://www.|someurl|.org). The Root account is also preferable beacuse the account and processes that run under it are considerably better protected than those of a normal user, provided you have not castrated the Root account security wise, ie configured it incorrectly. The less secure the account you run Tomcat under the easyser it is for a malicious user to sabotage your webserver by editing or deleting files, killing processes and so on. The ROOT acount is a citadel on a mountain top, very hard for a hacker to break, much harder than a normal account. If you run Tomcat as root, only you and those trusted few that you have mady privy to the root password, can manipulate the Tomcat server. If this is the appropriate place to ask a question on apache and tomcat, what would be the answer to the same question regarding running apache and tomcat together. Yes. Since the topics overlap I fail to see why it should be forbidden to discuss tomact/apache interaction. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>