Hi all,
I have two cosiderations about your Tomcat-nodody advices:
1) There is no tomcat4.conf in conf directory.
2) Your advice is to do
- chown nobody:nobody /usr/local/tomcat1
- su -l -c /usr/local/tomcat1/bin/startup.sh
There is a big problem with this procedure, in my opinion: the problem
is a security problem. We know that Apache runs as nobody, but the
directories are root:root. The father process forks child processes
which are nobody, so if someone tries to execute a cgi, this has no
privilegy. But if you execute "chown nobody:nobody /usr/local/tomcat1",
all directories are nobody, so anyone can write e do everything.
I'd like starting tomcat as apache, with the same security policy.
Is it possible?
What do you think?
Thanks for your help
Laura
