Hi, Logo,

My current practice is as you suggest.
Thank you for your advice.

Yours truly,
Kazuhiko Kohmoto

On 2020/05/13 15:48, logo wrote:
Hi calder,

Am 13.05.2020 um 04:59 schrieb calder <calder....@gmail.com>:

On Tue, May 12, 2020, 21:48 kohmoto <kohm...@iris.eonet.ne.jp> wrote:

Hi, Calder,

Thank you for your prompt reply.
I think Tomcat binary files all have root priviledges.
Should these priviledges should be changed to user priviledges?

I would suggest to leave the binaries and maybe even config files to root or 
any other admin. So a hacked tomcat process under tomcat user will not be able 
to exchange config or even binaries.
That will only work if the config will not be changed via host-manager or 

In the past we even held the installed webapps under a different user. but that 
maybe difficult in automated deployments.

My 2cts.


There is a "Tomcat Security" guide at the Tomcat website.  Also, Mulesoft
has a good guide

Your truly,
Kazuhiko Kohmoto

On 2020/05/13 11:17, calder wrote:
If TC, running as root, is ever compromised, the compromising user
(attacker) can gain access to the whole of the system.  The attacker
execute any arbitrary command available on the system.  They could remove
files, or install malicious software.

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to