Sorry to tear up the message, I forgot to paste this into my first one. You should also note that if you Run Tomacat as ROOT you may be more secure against a local user trying to sabotage your Tomcat but you will be vulnerable to malicious manipulations of your servlets. It is possible for somebody use a servelets that give access to files on the system tomcat is running on to read local files, provided this person knows the correct path. If you run Tomcat as ROOT and you must if you want to use privileged ports, you must be damn sure your firewall is properly configured and that your servelets can not be abused this way. This behaviour seems to be a strange peculiarity of Java. Apache for example simply accesses privileged resources as root and then downgrades the process to a less privileged level. A Java process however which you started as ROOT in order to access a privileged resource can not be downgraded to a lower privileged status/level after accessing that resoruce. At least as far as I know, I would be happy to find out if it is possible to downgrade the privileges of the tomcat process and any of its associated processes after accessing privileged ports.
So the conclusion is that optimally tomcat shoud be started as root to access privileged ports and then downgraded by some means to a on a very restricted user accunt once it has accessed the privileged resoruces. This allows you to use default ports but the tomcat process will be running under the restricted UID, preventing malicious manipulation of servelets. Cheers KR -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
