Martin van den Bemt at [EMAIL PROTECTED] wrote:
> Pier,
>
> I won't make commercials anymore for running as root, just to keep you
> happy..
Just to make _me_ happy? Probably you don't realize what you are saying when
you give hints on running something as root.
> Maybe adding some extra info to the mod_jk.html howto about accesability of
> the 8007 and 8009 ports if you don't change the defaults [...]
> Maby I'm wrong about this, then just let me know..
> Please flame me if I missed something obvious , but a grep -r "address"
> didn't give me any info on security issues involved in not setting that
> thing..
As you (may not) know I am not involved in mod_jk... If that documentation
doesn't address security issue, well, I didn't write it...
I'll make sure that in the final documentation of Tomcat 4.0 there will be a
bold-red paragraph saying "If you run Tomcat as 'root' on Unix you are NUTS"
>> Let's try to be a LITTLE BIT security conscious here...
>
> Maby your just having a bad day??
For sure I did... I had an entire BAD LIFE... It's already hard to keep
hackers out of fairly well-defended systems, I have nightmares about people
breaking into my servers. As I believe most system administrator do.
(Probably the ones running Windows even a little bit more)
But that doesn't change the fact that SECURITY comes first. ALWAYS.
> Let's start with the security tomcat can give by default instead of wining
> about os security administration.. My answer in tomcat-user explicitely is
> pretty self explaining :
>
>> Please tell me what is dangerous about running tomcat as root? I've
>> taken the following security measures :
>> port 8007 and 8009 is blocked from the outside (firewall)
>> tomcat is not running on 8080 and only allowing communications from
>> localhost (127.0.0.1).
>> The only potential problem is that if a tomcat /apache bug is exploited, you
>> potentially have a problem.
Yes, naively not even thinking about what could be wrong in other users
setup. You skipped a long part of the thread: people are trying to run
Tomcat from their RC scripts. Good, I can stand with that, BUT we have to
make sure that we don't compromise security by doing so. David, on the same
thread, wrote (regarding RC scripts):
> unless you want to run your tomcat as root ( Very unwise ) makesure that you
> use a 'su' command in your call to tomcat's start script...
That's great... Good David, security conscious. This is a good reply. Coming
out-of-the-blue and saying "nah, you're paranoid, you can safely run Tomcat
as root and not care about it" you don't consider ONE big thing: what is the
user at the end DOING in his Tomcat.
Tomcat might be safe, but web applications could not be. What if someone
runs Tomcat as root and enables WebDav. What if he has (as in Tomcat 4.0) a
CGI-executor Servlet... What if...
It's true, Tomcat, out-of-the-box, with only the root web-application
installed MIGHT be quite safe, I could run it as is, but, damn, think about
things a little bit later in the process.
Don't you think that there is a reason why Apache doesn't even let you start
the server if you set your user in httpd.conf as root? Apache _is_ safe in
the core, what users make it do is 99% of the times NOT.
Any server (mail, web, whatever) _is_ the shield that separates a client
from your system. Running it as root is like going to battle with a shield
made of thin paper. (Since we're in the spirit of analogisms)
> Maby combining a little bit of the input a lot of people gave will end up in
> a more secure tomcat and some nice docs.. JUST saying that your gonna flame
> everybody who says that running tomcat as root isn't bad is saying to a
> soccer goalkeeper it is ok to let the ball through, because the net protects
> the other team from scoring... If the keeper knows the rules a bit better he
> will try to catch the ball anyway (=protecting the Interceptors). When he
> didn't catch 20 balls, he is probably gonna train a bit more and get
> fimiliar witch catching the ball (=su ing processes).
>
> A nice little story about soccer ;-))
I don't give a **** about soccer, but running as root is _wrong_ anytime and
anywhere. Just implying that it's safe to do so is even more wrong, because
99% of the people out there _DO_ play the "goalkeeper", but they don't even
have a CLUE about the rules of soccer.
I keep my stance, if I see someone saying "running (put your favourite
service here) as root is safe", as you did, I'll flame him. Think TWO steps
ahead, ALWAYS.
Pier (security conscious)
