To address this a little further. Think about this, if a new hole is found that allow the attacker to put code on your machine, then think about all the possibilities of what that code could be programmed to do. Write files, read file, delete files or even run native code, just to name a few. As root there would be no limit to where the code could access, but as a lesser user the damage would be contained to just the users environment/permissions.
As for the sandbox, I am inclined to disagree as this in itself does not prevent the java code from accessing things outside the jvm (see above). It does prevent jvm crashes and most problems from escaping the sandbox. Also don't get the applet sandbox, running in a clients browser, confused with the server. It does have restrictions on what the java code can do and access. So bottom line is why take a chance. Doug www.parsonstechnical.com ----- Original Message ----- From: "David Smith" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, May 25, 2004 4:01 PM Subject: Re: Tomcat as 'root' insecure? (again) > Let's see if I can offer a direct answer. I don't believe tomcat is > insecure, but there are always those holes that haven't been found yet > and a chance that the bad guys will find them first. > > The best practice approach to system security is to run all processes > (tomcat included) at the minimum privilege level necessary to function. > That way if an as yet unknown vulnerability is discovered and the > attacker achieves the same privilege level as the service, he/she still > shouldn't be able to get very far. The only benefit I've ever seen to > running as root is the ability to bind to privilege ports below 1024 > (web port 80 is one of them). In my opinion, not a big enough gain to > warrant root privilege on the tomcat process. > > I use jsvc which launches as root just long enough to capture the > privileged ports necessary and then drops the root privilege to run as > tomcat5. Very clean, runs on startup, and I don't have to worry about > some unforeseen problem giving an attacker instant root privilege. > > --David > > Barnet Wagman wrote: > > > This issue has been (tangentially) addressed in a number of threads on > > several lists, but the answers I've found are not exactly consistent. > > I'd appreciate this list's opinion. > > > > So, is it insecure to run standalone Tomcat as a root process on a > > Linux system? By 'running Tomcat as a root process', I mean running > > the startup.sh script while logged in as the su (presumably with nohup). > > > > Some people seem to think that running a server as a root process in > > inherently insecure. But I've also seen it argued that because > > standalone Tomcat runs in Java sandbox, it is very secure independent > > of how its running. This makes sense to me, but I'm not very > > knowledable about this sort of things. > > > > Thanks, > > > > bw > > > > PS The purpose of running as root is, of course, so that Tomcat can > > listen to ports 80 and 443. I know that there are other ways of > > accomplishing this (using netfilter, etc.) but I'd prefer to avoid > > them if possible. I need to run Tomcat in an evironment that I don't > > know very well (a vps under redhat) - so the less I have to screw > > around with the operating system the better. Setting Tomcat to > > listent to port 80, etc. is simple and portable, which is a big > > advantage for me. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
