WebApp Sec mailing list archives
Re: Tomcat on port 80 or Java as root
From: Grega Bremec <gregab () noviforum si>
Date: Sun, 14 Mar 2004 16:18:47 +0100
...and on Fri, Mar 12, 2004 at 02:22:24PM +0000, Marc Deglos used the keyboard:
What are the implications of running tomcat as root(ie to run tomcaton port 80) The use of the word 'root' is misleading - IMO, this reference to 'root' does not correlate to the root user. The question seems to be: "What are the implications of allowing web traffic to connect directly to Tomcat, instead of through apache?" //Marc.
Actually, hehe. :) There are even more possible interpretations of this question: a) running Tomcat as a super-user (root/administrator, uid 0 on UNIX) b) running Tomcat with a built-in HTTP connector (Coyote or the standard one) on port 80 c) running Tomcat in the ROOT context (i.e., with a web application mapped to the root of a particular virtual host :)) I think though the question was regarding the both of first two inter- pretations, as the third one is obviously quite irrelevant. :) It just serves as another proof that expressing oneself accurately enough can never be made too important. :) My hint about that would be - you probably don't want to be running the built-in HTTP connector as it is simply too latent and expensive, which also eliminates the possible issue of Tomcat running as the root user. You are better off using an AJP connector of some kind as request data is represented in a condensed binary form better suited for Tomcat to process. Even if you were to run the internal HTTP connector though, the problem is easily solvable using iptables and local nat using the REDIRECT target. You could simply redirect all incoming packets from port 80 to port 8080 on the local loopback interface. Again, even if you were to run Tomcat as the root user, the Java virtual machine is so self-contained that there are practically no security implications past the one of being exposed to DoS conditions due to resource drainage, but that is not even such an issue any more - if you have powerful enough a machine to afford running Coyote HTTP connector, you have powerful enough a machine to not be concerned about Java consuming all your CPU time and choking other applications. Rule of thumb - we run four frontends to back up a site that gets hit by an average of just under four million requests daily (actually, daily average for February was 3.3e+6 hits due to a reduced load on weekends, but peak usage actually exceeds 4e+6 daily requests, revolving somewhere around 50 served requests per second), approximately half of which is requests for JSP documents. We use Apache to serve as HTTP connector for Resin backends. Machines are all hyperthreaded dual P4/Xeons with 512KB L2 cache, running on frequencies between 2.4 and 2.8GHz, and between 1GB and 2GB RAM. Hope this helped, -- Grega Bremec Senior Administrator Noviforum Ltd., Software & Media http://www.noviforum.si/
Current thread:
- RE: Tomcat on port 80 or Java as root, (continued)
- RE: Tomcat on port 80 or Java as root Harshul Nayak (Mar 12)
- Re: Tomcat on port 80 or Java as root Rajkumar S (Mar 13)
- Re: Tomcat on port 80 or Java as root Aleksi Kallio (Mar 13)
- Re: Tomcat on port 80 or Java as root Dave Ockwell-Jenner (Mar 13)
- Re: Tomcat on port 80 or Java as root David Wall @ Yozons, Inc. (Mar 13)
- Re: Tomcat on port 80 or Java as root George Georgalis (Mar 13)
- RE: Tomcat on port 80 or Java as root urgoez (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 12)
- RE: Tomcat on port 80 or Java as root Marc Deglos (Mar 12)
- Re: Tomcat on port 80 or Java as root Rajkumar S (Mar 13)
- Re: Tomcat on port 80 or Java as root Grega Bremec (Mar 14)
- RE: Tomcat on port 80 or Java as root Martin Gil (Mar 13)
- Re: Tomcat on port 80 or Java as root d31ik47 (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 13)
- RE: Tomcat on port 80 or Java as root Harshul Nayak (Mar 12)