Hi Hilton, while I can see why this alarms you and it's generally a good policy that I myself practice, it often doesn't matter as much as you'd think.
Assuming the common case that a single instance of DSpace is the only application that runs on the server, the cases of compromising the tomcat account and the root account are equally disrupting - the attacker gains access to data that is potentially confidential and assumes control over the application. Whether he has control over the machine itself is not so important - the major harm has already been done. Of course, a whole different case is a multi-user or multi-application setup, including the case where you run both Tomcat and Apache on the same machine. In this case you should use separate accounts for each service because they are two separate attack surfaces. You can easily find a million articles about why you shouldn't use the root account unless it's necessary, so let me give you just one that discusses the opposite view: https://systemoverlord.com/2010/07/30/why-the-risk-of-running-as-root-is-overblown Don't think that I'm opposing the general rule. It just sometimes helps to stop and think why the general rule exists and what it doesn't cover. No single security measure is a snake oil. The problem with the root account is that it's not at all granular - you either have all the privileges or none of them. That's why more granular approaches have been worked on since the dawn of time, from capabilities to SELinux and AppArmor. Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
