Re: [Hardening] Running tomcat under a specific account

Christopher Schultz Thu, 26 Feb 2015 05:32:46 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jan,


On 2/25/15 5:13 PM, Jan Tosovsky wrote:
> there are plenty resources mentioning it is a must to run tomcat as
> a dedicated user with limited permissions.
> 
> Is it still true when tomcat doesn't run standalone, but via Apache
> web server connected via AJP? That webserver already runs in the
> restrictive mode.

Yes.

Why would you want to run Tomcat as root/Administrator? I don't
believe it gives you any advantage whatsoever, and can open you up to
all kinds of problems.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJU7yARAAoJEBzwKT+lPKRYfGYP/1PqU1SNxqN/03cn29hLm1SW
GU0UV6YwYXuapTc7hOZeR2vJUUDkIbCgPmz/xtwOO53Amw6nfdqHSuu1fyfNTN+8
mySOkroRD+4s02BtBRa8TyK2sESdr3DX0wgYkfLuBjflpmFiwdX9w17jFqfH6mUR
Q8HKSZueOv72IybI/E223JkcXG1ImyXlt/HBT6YeG1kxMOMfX0yaak14kklcbKUk
YJKPj35cv8DySVW20ghMoKt6F65P9Y54cjK3AWOxaO8EGSvn7RaY2Pv+w5bWcE9f
Nb4dUeMQCg0mieWe0pweLDuLVi+O3eZ7V4RsbI04bIiaP08QZxKlMC6HDWthLKAw
op0gEmEmMoPm1I5B/g8dW5LWPqSbvV169PkRyKC8agQbuGbPAIUHudmwHSEswSv1
9UX+l9+Ey7HvHGQHUSFr8MX70mgrmPvfpAhxDCOU90Cj8sATEQtnhqo2E0AeBgEr
rUA04tp5Lf64fsIZ9uhNiW8KuxP5/CCeWfTlNHZ4b169qIvc9ZCla8Gl/cQ+SNWr
0FXP7d2Yun5Hx5FeE3Yfu9xzT1qvOLWI19C4cM8EhgqxVAOgUA7zx4JWIlBuNmrH
jIsoweJI2Uwq0g9hjQtInN7/Y15gBiHeL/WxAtAMEqn/ygk0FUVPd6r5y6LXoVx1
TGGg8PwnduySY6R9iYS+
=Mo36
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [Hardening] Running tomcat under a specific account

Reply via email to