Hi, You're not going to a get a simple yes or no answer. Both camps that you cite are right. Why run something as root if you don't have to?
Yoav Shapira Millennium Research Informatics >-----Original Message----- >From: Barnet Wagman [mailto:[EMAIL PROTECTED] >Sent: Tuesday, May 25, 2004 2:30 PM >To: Tomcat Users List >Subject: Tomcat as 'root' insecure? (again) > >This issue has been (tangentially) addressed in a number of threads on >several lists, but the answers I've found are not exactly consistent. >I'd appreciate this list's opinion. > >So, is it insecure to run standalone Tomcat as a root process on a Linux >system? By 'running Tomcat as a root process', I mean running the >startup.sh script while logged in as the su (presumably with nohup). > >Some people seem to think that running a server as a root process in >inherently insecure. But I've also seen it argued that because >standalone Tomcat runs in Java sandbox, it is very secure independent of >how its running. This makes sense to me, but I'm not very knowledable >about this sort of things. > >Thanks, > >bw > >PS The purpose of running as root is, of course, so that Tomcat can >listen to ports 80 and 443. I know that there are other ways of >accomplishing this (using netfilter, etc.) but I'd prefer to avoid them >if possible. I need to run Tomcat in an evironment that I don't know >very well (a vps under redhat) - so the less I have to screw around with >the operating system the better. Setting Tomcat to listent to port 80, >etc. is simple and portable, which is a big advantage for me. > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
