Re: Tomcat on port 80 or Java as root

[<d31ik47 () yahoo com>]

In-Reply-To: <405088F0.9020906 () myrealbox com>

> What are the implications of running tomcat as root(ie to run tomcat on 
> port 80) Is java secure enough to run as root, or should I run some 
> thing like apache in front ?

No matter how secure java or tomcat may be, you don't want to run a server
as root. Running tomcat behind a pure webserver is not any more secure than
running tomcat standalone.  If anything its probably less secure because
tomcat isn't susceptible to the traditional buffer overflows that can exist in
native applications like apache. (I don't know much about tux but I'm guessing
its a native app written in c like apache).

Using those servers as a front-end will just open you up to any of the
vulnerabilities they may have instead.  The main purpose for running a pure
webserver as a front-end to apache is for performance.  For example, you may
have a web application that has loads of static html as well
as some servlets and/or jsps.  With a hybrid apache & tomcat solution, you
could let the static html get served by apache so tomcat only has to deal with
the servlet/jsp requests.

However, it looks like what you really want to do is run tomcat on port 80
and there are better ways to do that.  One of the cleanest is to use iptables
to redirect requests from the port you want connections on (ie: 80) to whatever
port you are actually running tomcat on (ie: 8080).

Here's an article explaining the iptables technique (and others):

http://www-106.ibm.com/developerworks/java/library/l-secjav.html

Another security technique mentioned in the article is running tomcat in
a chroot jail.  This wont help you run tomcat on a restricted port though,
its just a good idea in general.  This pdf excerpt from a tomcat book goes
into much better detail on the chroot solution:

http://www.oreilly.com/catalog/tomcat/chapter/ch06.pdf

-
cdelikat