I have been wondering about this as well. Apache screams and hollers BIG_SECURITY_HOLE if you compile it with the flags allowing it to run as root.
That said, I love the fact that Tomcat runs as root. It makes it easy for your webapp to do things admin applications, servers, and networks from a web interface. But at what cost? Of course it would be best to run Tomcat as nobody or tomcat user or whoever, but if your app needs some root permission at the OS level, is it OK to run as root? I'd imagine the root OK concept must be due to the underlying Java, but can't really see why or how. Anyone know? Great product this Tomcat. Kudos to all involved. ----- Original Message ----- From: "Turner, John" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Thursday, October 17, 2002 1:57 PM Subject: RE: Best practices question > > I run Tomcat under a separate user account. I avoid running services as > root whenever possible. > > John > > > -----Original Message----- > > From: Randy Paries [mailto:randy.paries@;unitnet.com] > > Sent: Thursday, October 17, 2002 1:56 PM > > To: 'Tomcat Users List' > > Subject: Best practices question > > > > > > Hello, > > > > I was wondering are most people starting tomcat from root, or are they > > doing it other ways. > > > > What is the suggestion for this. > > > > How big are the security issues if started by root > > > > Would it be ok to start it by user apache? > > > > Thanks > > > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > For additional commands, e-mail: > > <mailto:tomcat-user-help@;jakarta.apache.org> > > > > -- > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
