WebApp Sec mailing list archives
Re: Tomcat on port 80 or Java as root
From: Daniel <daniel () dev ugc-labs co uk>
Date: 12 Mar 2004 14:48:39 -0000
In-Reply-To: <4051C7A0.5080505 () nomensa com> If we look at how Apache does it, as soon as it receives a request it drops the uid from root to nobody (or whoever your least privelaged user is) before serving that page. Tomcat on the other hand would serve the files under the root owner (correct me if im wrong here) and the Java VM cannot support setuid() calls. Also you need to look at the whole threading option as well. What about port forwarding?
Received: (qmail 20742 invoked from network); 12 Mar 2004 14:33:01 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 12 Mar 2004 14:33:01 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id 6B474A30A8; Fri, 12 Mar 2004 07:33:33 -0700 (MST) Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <webappsec.list-id.securityfocus.com> List-Post: <mailto:webappsec () securityfocus com> List-Help: <mailto:webappsec-help () securityfocus com> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com> Delivered-To: mailing list webappsec () securityfocus com Delivered-To: moderator for webappsec () securityfocus com Received: (qmail 4816 invoked from network); 12 Mar 2004 08:08:43 -0000 Message-ID: <4051C7A0.5080505 () nomensa com> Date: Fri, 12 Mar 2004 14:22:24 +0000 From: Marc Deglos <md () nomensa com> User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: webappsec () securityfocus com Subject: RE: Tomcat on port 80 or Java as root Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bitWhat are the implications of running tomcat as root(ie to run tomcaton port 80) The use of the word 'root' is misleading - IMO, this reference to 'root' does not correlate to the root user. The question seems to be: "What are the implications of allowing web traffic to connect directly to Tomcat, instead of through apache?" //Marc.
Current thread:
- Re: Tomcat on port 80 or Java as root, (continued)
- Re: Tomcat on port 80 or Java as root Dave Ockwell-Jenner (Mar 13)
- Re: Tomcat on port 80 or Java as root David Wall @ Yozons, Inc. (Mar 13)
- Re: Tomcat on port 80 or Java as root George Georgalis (Mar 13)
- RE: Tomcat on port 80 or Java as root urgoez (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 12)
- RE: Tomcat on port 80 or Java as root Marc Deglos (Mar 12)
- Re: Tomcat on port 80 or Java as root Rajkumar S (Mar 13)
- Re: Tomcat on port 80 or Java as root Grega Bremec (Mar 14)
- RE: Tomcat on port 80 or Java as root Martin Gil (Mar 13)
- Re: Tomcat on port 80 or Java as root d31ik47 (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 13)
- Re: Tomcat on port 80 or Java as root Daniel (Mar 13)