From: Jim A. <ji...@ar...> - 2001-06-28 18:36:13
|
Jay, on what operating system? On Linux, running Tomcat (or any other web server) as root introduces security problems, yes. When an exploit is discovered in Tomcat, the consequences are severe if Tomcat runs as root. If it runs as a no privilidge user such as nobody (or in our case, jBoss user), the damage is quite contained (usually). This way, it can't modify itself to have new "features" added by hackers and it can't access critical system resources, like your password files. This has nothing to do with Tomcat. Its standard practice not to allow a server process to run as root. You can use IP chaines to let Tomcat, not running as root, to listen on port 80. Jim --On Thursday, June 28, 2001 1:36 PM -0400 Jay Walters <jwa...@ne...> wrote: > In order to listen on port 80 with tomcat does one need to run Jboss as > root? Does this present a security hazard - does Tomcat have any odd > backdoors. Is jetty any different? > > Cheers > Jay > > _______________________________________________ > Jboss-development mailing list > Jbo...@li... > http://lists.sourceforge.net/lists/listinfo/jboss-development ******************************************** I shall be telling this with a sigh Somewhere ages and ages hence: Two roads diverged in a wood, and I - I took the one less traveled by, And that has made all the difference. - Robert Frost, 1916 |