point taken about the root thing..
I took back my words on that it safe to run as root (as quoted in my mail to
Pier).
But the message I was trying to give was : who are we to tell people not to
run as root as the default tomcat installation already is hackable in 5
minutes?? (at least by Pier..). Let's first get that thing ok and send a
security advisory or something??? Pier gave a good tip that he could write
one in 5 minutes, so other people are bound to try that..
A message like :
The default installation of tomcat needs to be adjusted when using the ajp
protocol, so it only accepts connections from the 127.0.0.1 address. You
must edit the entries <blah><blah> and add the address="127.0.0.1".
Also some things you have to keep in mind when setting up ANY software,
which also includes tomcat :
- don't run as root
- apply patches to your webserver
- watch webdav modules if you run as root
- etc,etc,etc,..
Let's get this done before someone finishes that little program... Instead
of waiting for the first problem and really be on the news..
Pleae focus the reply on the server.xml issue instead of saying we don't
need to run as root, we got the point a couple of threads back.. I want to
hear about this issue, which we actually have CONTROL over!
The worst thing that can happen is that my cat can even break into tomcat if
someone made a nice ajp client...
Mvgr,
Martin
> -----Original Message-----
> From: Christopher Cain [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 18, 2001 9:13 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Tomcat before Apache
>
>
> Quoting "Pier P. Fumagalli" <[EMAIL PROTECTED]>:
>
> > I keep my stance, if I see someone saying "running (put your favourite
> > service here) as root is safe", as you did, I'll flame him. Think TWO
> > steps ahead, ALWAYS.
> >
> > Pier (security conscious)
>
> If I may ...
>
> First of all, I have not read the thread being referenced here,
> and I have no
> idea who said what or why. Also, I grew up in the U.S., so I know
> absolutely
> _nothing_ about soccer =)
>
> I'm sure that Pier appreciates the effort of at least *trying* to
> help out with
> the user list, probably more than most. Most of us, myself
> included, don't
> spend nearly as much time as we should helping out over there.
> Security is just
> one of those issues you sometimes have to scream about =) If all
> projects out
> there had a few people like Pier who were willing to scream about
> it, life
> would be alot easier.
>
> That said ... as someone who's job description often involves security
> consulting and locking down Linux boxes, I just need to say this, for the
> record: PLEASE, FOR THE LOVE OF ALL THAT IS DECENT AND HOLY,
> NEVER SUGGEST TO
> SOMEONE THAT THEY CAN SAFELY RUN _ANYTHING_ AS ROOT.
>
> There are a some system-level process that need root-level
> access, but I'm not
> talking about that. I'm talking about general software
> components. No matter
> how secure you think an application is ... it isn't. Just look at
> the whole
> BIND fiasco a few months back. Everyone stopped worrying about
> who BIND was
> running as, because there hadn't been any holes discovered in
> *years*. They got
> lazy. So when someone did eventually find a hole, countless
> people got a quick
> lesson in security ... the hard way.
>
> So when people ask, please don't tell them to run anything as
> root. In fact,
> tell them quite emphatically NOT to. Run a process that binds on
> a high port as
> root, and you are completely insane. Run a service on a
> well-known port as
> root, and it just becomes question of "when", not "if", some
> script kiddie will
> make you his jail bitch. I personally know ALOT of people who
> stopped using
> BIND when that whole thing went down, even though it was mostly
> their own fault
> for not their scripts set up right. Let's not let this happen to Tomcat,
> because in the post-Microsoft world, users are alot less
> forgiving of security
> problems.
>
> - Christopher
>
