So, if I read correctly you have no problems running you apps as root?
If this is true, then I say you have a very weak security posture.
Might I suggest you do some additional research on the subject. And that
those who run things in a chroot jail must be real paranoid freaks.
And now this post is way off topic.
Doug
----- Original Message -----
From: "Paul Singleton" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, October 19, 2006 7:21 PM
Subject: Re: IPTABLES
Christopher Schultz wrote:
Apache httpd is configured out of the box to start up as root, bind to
port 80 (or really any port), and then drop its privileges to the httpd
user. Without some really nasty code, Tomcat is unable to do the same
thing, so we're forced to do silly things like internal port forwarding,
etc.
The "root-only-access-to-low-ports" policy of
Linux is a legacy from the days when Unix systems
were typically multi-user: it is a heavy-handed way
of stopping the oiks from running unauthorised
servers.
In a secure server it is unnecessary, indeed
counterproductive when it tempts us to run services
as root, or to use tricksy workarounds.
Linux should make this switch-offable (without
having to recompile the kernel).
The only problem I've found with standalone Tomcat
plus iptables port forwarding (apart from the need
to understand iptables :-)) is that web apps can't
make requests to themselves at port 80, but have to
use 8080 or whatever.
Paul Singleton
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
