On Thu, 17 Oct 2002, Qmail List wrote:
> Date: Thu, 17 Oct 2002 15:03:27 -0400
> From: Qmail List <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: Best practices question
>
>
> I have been wondering about this as well. Apache screams and hollers
> BIG_SECURITY_HOLE if you compile it with the flags allowing it to run as
> root.
>
> That said, I love the fact that Tomcat runs as root. It makes it easy for
> your webapp to do things admin applications, servers, and networks from a
> web interface.
>
> But at what cost? Of course it would be best to run Tomcat as nobody or
> tomcat user or whoever, but if your app needs some root permission at the OS
> level, is it OK to run as root?
>
> I'd imagine the root OK concept must be due to the underlying Java, but
> can't really see why or how. Anyone know?
>
>
> Great product this Tomcat. Kudos to all involved.
>
Consider the following JSP page:
<%
Runtime.exec("/sbin/halt");
%>
(or an equivalent servlet, but let's just make it simple for now).
If I am able to break in to your system and store a copy of this JSP page
in a directory visible through Tomcat (running as root), I can shut your
computer down -- even if I broke in to a non-privileged account that
cannot execute the command directly.
Or, if I was in a nastier mood, think about the impact of "rm -R /*".
Security is all about maximizing the difficulty of breaking in, and
minimizing the impact of what an attacker can do when they succeed
(there's no such thing as absolute prevention).
Craig
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
