WebApp Sec mailing list archives
Re: Tomcat on port 80 or Java as root
From: <d31ik47 () yahoo com>
Date: 12 Mar 2004 19:30:31 -0000
In-Reply-To: <405088F0.9020906 () myrealbox com>
What are the implications of running tomcat as root(ie to run tomcat on port 80) Is java secure enough to run as root, or should I run some thing like apache in front ?
No matter how secure java or tomcat may be, you don't want to run a server as root. Running tomcat behind a pure webserver is not any more secure than running tomcat standalone. If anything its probably less secure because tomcat isn't susceptible to the traditional buffer overflows that can exist in native applications like apache. (I don't know much about tux but I'm guessing its a native app written in c like apache). Using those servers as a front-end will just open you up to any of the vulnerabilities they may have instead. The main purpose for running a pure webserver as a front-end to apache is for performance. For example, you may have a web application that has loads of static html as well as some servlets and/or jsps. With a hybrid apache & tomcat solution, you could let the static html get served by apache so tomcat only has to deal with the servlet/jsp requests. However, it looks like what you really want to do is run tomcat on port 80 and there are better ways to do that. One of the cleanest is to use iptables to redirect requests from the port you want connections on (ie: 80) to whatever port you are actually running tomcat on (ie: 8080). Here's an article explaining the iptables technique (and others): http://www-106.ibm.com/developerworks/java/library/l-secjav.html Another security technique mentioned in the article is running tomcat in a chroot jail. This wont help you run tomcat on a restricted port though, its just a good idea in general. This pdf excerpt from a tomcat book goes into much better detail on the chroot solution: http://www.oreilly.com/catalog/tomcat/chapter/ch06.pdf - cdelikat
Current thread:
- Re: Tomcat on port 80 or Java as root, (continued)
- Re: Tomcat on port 80 or Java as root Aleksi Kallio (Mar 13)
- Re: Tomcat on port 80 or Java as root Dave Ockwell-Jenner (Mar 13)
- Re: Tomcat on port 80 or Java as root David Wall @ Yozons, Inc. (Mar 13)
- Re: Tomcat on port 80 or Java as root George Georgalis (Mar 13)
- RE: Tomcat on port 80 or Java as root urgoez (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 12)
- RE: Tomcat on port 80 or Java as root Marc Deglos (Mar 12)
- Re: Tomcat on port 80 or Java as root Rajkumar S (Mar 13)
- Re: Tomcat on port 80 or Java as root Grega Bremec (Mar 14)
- RE: Tomcat on port 80 or Java as root Martin Gil (Mar 13)
- Re: Tomcat on port 80 or Java as root d31ik47 (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 13)