Je ne sais pas si beaucoup de monde utilise jakarta/tomcat. mais personne ne devrait tourner un serveur WWW sous root de toute fa�on. NB: utilisateurs de Cobalt (un syst�me cl�-en-main bas� sur RH Linux en processeur PowerPC ou StrongArm je ne sais plus), votre serveur WWW tourne comme root. Et si vous changez, l'administration ne fonctionne plus. From: Scott Morris <[EMAIL PROTECTED]> Subject: Jakarta-tomcat.../admin Date: 21 Jul 2000 23:48:28 +0200 Message-ID: <[EMAIL PROTECTED]> Summary: Jakarta Tomcat contains a security bug that can compromise UNIX servers running Tomcat as root. Tomcat can be used together with the Apache web server or a stand alone server for Java Servlets as well as Java Servlet Pages. Problem: The defaullt intall of Tomcat contains a mounted contest ( /admin ) that contains servlets that can be used to add, delete, or view context information about the Tomcat Server. Under UNIX, the root directory can bee added as a context, and if the server is running as root, all files on the system can be viewed over the web. Possible Solution: 1) Do not run the Tomcat server as root 2) Restrict access to the /admin context or remove it completely. Scott Morris UNIX Admin Gridnet International Key Fingerprint: 814E 7771 6EA9 6C94 B1C9 09C6 D86E 755E A0A9 1B67 -- Pour poster une annonce: [EMAIL PROTECTED]
