That is true enough but those sound like workarounds your option #2
suggests that Apache does not have this vulnerability of having to run as
root to access privileged ports and I don�t see why Tomcat should be any
different. I am still fishing for that simple attribute to be added to
tomcat, or perhaps the JVM? that would enable tomcat to somehow reduce
its privilege level after accessing privileged resources like any proper
standalone server should. I may be simplistic but it seems to me that this
would be a pretty fundamental ability for a standalone server and the
thougth is just mindblowing that theJVM does not offer something similar.
I find that hard to believe.
Cheers
KR
"Ralph Einfeldt" <[EMAIL PROTECTED]>
05.12.2002 13:38
Please respond to "Tomcat Users List"
To: "Tomcat Users List" <[EMAIL PROTECTED]>
cc:
Subject: RE: Why run tomcat as root
As I said there are at least three options:
- Use tomcat behind a webserver (Apache, IIS) and connect it
with mod_jk*
This is the best documented attempt.
- Use tomcat behind a proxy (Apache, squid, ...).
That means tomcat is still listening on 8080 and the proxy
directs the requests from port 80 to 8080
- Use Tomcat behind a port mapper
Quite (if you don't look to close) the same solution as the
proxy (iptables)
> -----Original Message-----
> From: Kristj�n R�narsson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 05, 2002 2:17 PM
> To: Tomcat Users List
> Subject: RE: Why run tomcat as root
>
> But I have not been able to figure out a way to downgrade the
> privileges of the Tomcat process after it has accessed the privileged
> resources. I have been told that Apache can donwgrade the
> privilege level of processes after they have accessed privleged
resources but
> how do I do this to tomcat?
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
