IMHO this is a case of the Tomcat team being restricted by the deficiencies of Java, I apologize if I implied that they are incompetent I did no mean to. The ability have a parent process fork child processes that have restricted permissions is a pretty fundamental one. You say down stepping is not a requirement in a server, that is technically true. But I counter that brakes are not a requirement in a car but it darn shure runs safer if they are installed; which is also why people would normally be surprsed if they bought a car and found that brakes were not part of the specs and therefore not installed. When started my tomcat server and found out it could use privileged ports I took it for granted that it forked non privileged kids to do the work, hence my surprise when I discovered a little later that this is not the case. There should be a huge disclaimer about this on the Tomcat Web page stating that people use privileged ports at their own risk, either that or Tomcat should ship being able to use non privileged ports only but with some sort of a miniportmapper written in java that could be run as root to pass the traffic on to the non-ROOT Tomcat server. This is a nasty pitfall.
As for a downstep feature being surpefluous in Windows you are right. But then again the argument was somewhat lost on me since I don�t actually consider Windows to have a serious security policy at all :-) never mind what Microsoft says in its press statements. Mvh Kristj�n R�narsson, T�knifr��ingur, BSc.Eng. (Hons) --------------------------------------------------------------------------------------------------------- �slandss�mi, S�lt�n 26, 105 Reykjav�k, Iceland GSM: 8200222 E-mail: kristjan.runarsson@<SpamTag-RemoveThis>islandssimi.is -------------------------------------------------------------------------------------------------------- Follow cigar smoke, find fat man there.... -------------------------------------------------------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
