I think the Tomcat team assumes that anyone with root on their box doesn't take things for granted. ;) Tomcat/JVM isn't the only popular server application out there that doesn't fork less-privileged children to handle requests.
Tomcat listens for HTTP requests on port 8080 by default...I think it's a reasonable thing to assume that anyone capable of changing that to port 80 would be cognizant of the issues involved. As Tim pointed out, this could technically be handled by calling a native OS call to do the switch to a new user id, but then you would violate rule #1 of all Java-based technologies: Write Once, Run Anywhere. If you designed a servlet container like Tomcat (or any other Java technology) to use a native OS call to make a uid switch in order to run, you would destroy portability. On that note, it sounds like the proper way to handle this would be to create a Java technology (JSUG: Java Set User and Group? :) ) that would be included in future versions of the JVM that would handle this...that way, all Java-based technologies could benefit from it instead of just Tomcat. Then again, I'm no architecture designer. Tomcat is the reference implementation. Everyone is free to take it and modify it to their needs as long as they're cognizant of the issues involved and the work required to maintain the modifications as the spec changes. Ditto the JVM itself, as I understand the licensing. John > -----Original Message----- > From: Kristjan Rznarsson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 05, 2002 10:55 AM > To: Tomcat Users List > Subject: RE: Why run tomcat as root > > > IMHO this is a case of the Tomcat team being restricted by the > deficiencies of Java, I apologize if I implied that they are > incompetent I > did no mean to. The ability have a parent process fork child > processes > that have restricted permissions is a pretty fundamental one. > You say down > stepping is not a requirement in a server, that is > technically true. But I > counter that brakes are not a requirement in a car but it > darn shure runs > safer if they are installed; which is also why people would > normally be > surprsed if they bought a car and found that brakes were not > part of the > specs and therefore not installed. When started my tomcat > server and found > out it could use privileged ports I took it for granted that > it forked non > privileged kids to do the work, hence my surprise when I discovered a > little later that this is not the case. There should be a > huge disclaimer > about this on the Tomcat Web page stating that people use > privileged ports > at their own risk, either that or Tomcat should ship being > able to use > non privileged ports only but with some sort of a > miniportmapper written > in java that could be run as root to pass the traffic on to > the non-ROOT > Tomcat server. This is a nasty pitfall. > > As for a downstep feature being surpefluous in Windows you > are right. But > then again the argument was somewhat lost on me since I don�t > actually > consider Windows to have a serious security policy at all :-) > never mind > what Microsoft says in its press statements. > > Mvh > > Kristj�n R�narsson, T�knifr��ingur, BSc.Eng. (Hons) > > -------------------------------------------------------------- > ------------------------------------------- > �slandss�mi, S�lt�n 26, 105 Reykjav�k, > Iceland > GSM: 8200222 > E-mail: kristjan.runarsson@<SpamTag-RemoveThis>islandssimi.is > -------------------------------------------------------------- > ------------------------------------------ > Follow cigar smoke, find fat man there.... > -------------------------------------------------------------- > ------------------------------------------ > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
