Re: Tomcat on port 80 or Java as root

[Grega Bremec <gregab () noviforum si>]

...and on Fri, Mar 12, 2004 at 02:22:24PM +0000, Marc Deglos used the keyboard:
> > > What are the implications of running tomcat as root(ie to run tomcat 
> on port 80)
>
> The use of the word 'root' is misleading - IMO, this reference to 'root' 
> does not correlate to the root user.
>
> The question seems to be:
> "What are the implications of allowing web traffic to connect directly 
> to Tomcat, instead of through apache?"
>
> //Marc.

Actually, hehe. :)

There are even more possible interpretations of this question:

    a) running Tomcat as a super-user (root/administrator, uid 0 on UNIX)
    b) running Tomcat with a built-in HTTP connector (Coyote or the standard
        one) on port 80
    c) running Tomcat in the ROOT context (i.e., with a web application
        mapped to the root of a particular virtual host :))

I think though the question was regarding the both of first two inter-
pretations, as the third one is obviously quite irrelevant. :)

It just serves as another proof that expressing oneself accurately enough
can never be made too important. :)

My hint about that would be - you probably don't want to be running the
built-in HTTP connector as it is simply too latent and expensive, which
also eliminates the possible issue of Tomcat running as the root user.
You are better off using an AJP connector of some kind as request data
is represented in a condensed binary form better suited for Tomcat to
process.

Even if you were to run the internal HTTP connector though, the problem is
easily solvable using iptables and local nat using the REDIRECT target.
You could simply redirect all incoming packets from port 80 to port 8080
on the local loopback interface.

Again, even if you were to run Tomcat as the root user, the Java virtual
machine is so self-contained that there are practically no security
implications past the one of being exposed to DoS conditions due to
resource drainage, but that is not even such an issue any more - if you
have powerful enough a machine to afford running Coyote HTTP connector,
you have powerful enough a machine to not be concerned about Java consuming
all your CPU time and choking other applications.

Rule of thumb - we run four frontends to back up a site that gets hit by
an average of just under four million requests daily (actually, daily
average for February was 3.3e+6 hits due to a reduced load on weekends,
but peak usage actually exceeds 4e+6 daily requests, revolving somewhere
around 50 served requests per second), approximately half of which is
requests for JSP documents. We use Apache to serve as HTTP connector for
Resin backends. Machines are all hyperthreaded dual P4/Xeons with 512KB
L2 cache, running on frequencies between 2.4 and 2.8GHz, and between 1GB
and 2GB RAM.

Hope this helped,
-- 
    Grega Bremec
    Senior Administrator
    Noviforum Ltd., Software & Media
    http://www.noviforum.si/