The best practice approach to system security is to run all processes (tomcat included) at the minimum privilege level necessary to function. That way if an as yet unknown vulnerability is discovered and the attacker achieves the same privilege level as the service, he/she still shouldn't be able to get very far. The only benefit I've ever seen to running as root is the ability to bind to privilege ports below 1024 (web port 80 is one of them). In my opinion, not a big enough gain to warrant root privilege on the tomcat process.
I use jsvc which launches as root just long enough to capture the privileged ports necessary and then drops the root privilege to run as tomcat5. Very clean, runs on startup, and I don't have to worry about some unforeseen problem giving an attacker instant root privilege.
--David
Barnet Wagman wrote:
This issue has been (tangentially) addressed in a number of threads on several lists, but the answers I've found are not exactly consistent. I'd appreciate this list's opinion.
So, is it insecure to run standalone Tomcat as a root process on a Linux system? By 'running Tomcat as a root process', I mean running the startup.sh script while logged in as the su (presumably with nohup).
Some people seem to think that running a server as a root process in inherently insecure. But I've also seen it argued that because standalone Tomcat runs in Java sandbox, it is very secure independent of how its running. This makes sense to me, but I'm not very knowledable about this sort of things.
Thanks,
bw
PS The purpose of running as root is, of course, so that Tomcat can listen to ports 80 and 443. I know that there are other ways of accomplishing this (using netfilter, etc.) but I'd prefer to avoid them if possible. I need to run Tomcat in an evironment that I don't know very well (a vps under redhat) - so the less I have to screw around with the operating system the better. Setting Tomcat to listent to port 80, etc. is simple and portable, which is a big advantage for me.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
