Re: Why run tomcat as root

Thu, 05 Dec 2002 04:33:48 -0800 

"Sanjaya Singharage" <[EMAIL PROTECTED]>
05.12.2002 10:33
Please respond to "Tomcat Users List"

 
        To:     [EMAIL PROTECTED]
        cc: 
        Subject:        Why run tomcat as root


with respect to security what is the best way to run tomcat on linux? I am
running tomcat3.2.3 with apache1.3.26 and mod_jk
1. Run as root?
2. Run as nobody?
3.Run as other user (eg. tomcat)?

why is running tomcat as a certain user more secure than running it as
others?

For starters if you want to use privileged ports (port<1024) you must be 
root. If you for example want tomcat to listen on ports 80 (HTTP default 
port) or 443 (HTTPS default ports) you must start tomcat as ROOT. 
Theoretically of course you can run tomact as user "nobody" but you will 
not be able to use ports<1024. If you use non privileged ports you will 
have to live with the annoyance of every one who wants to access your 
server having to suffix the port number to the url 
(http://www.|someurl|.org:8080/) with a privileged default port like 80 
(HTTP) all you have to do is type the URL (http://www.|someurl|.org). The 
Root account is also preferable beacuse the account and processes that run 
under it are considerably better protected than those of a normal user, 
provided you have not castrated the Root account security wise, ie 
configured it incorrectly. The less secure the account you run Tomcat 
under the easyser it is for a malicious user to sabotage your webserver by 
editing or deleting files, killing processes and so on. The ROOT acount is 
a citadel on a mountain top, very hard for a hacker to break, much harder 
than a normal account. If you run Tomcat as root, only you and those 
trusted few that you have mady privy to the root password, can manipulate 
the Tomcat server.

If this is the appropriate place to ask a question on apache and tomcat,
what would be the answer to the same question regarding running apache and
tomcat together.

Yes. Since the topics overlap I fail to see why it should be forbidden to 
discuss tomact/apache interaction.





--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>





--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to