Re: Tomcat 3.3 / 4.0 ? When?

To: debian-java@lists.debian.org
Subject: Re: Tomcat 3.3 / 4.0 ? When?
From: Max Kellermann <max.kellermann@epost.de>
Date: Sat, 1 Dec 2001 11:05:49 +0100
Message-id: <[🔎] 20011201110549.A21985@mupo.de>
Mail-followup-to: debian-java@lists.debian.org
In-reply-to: <87wv080x0b.fsf@andor.geens.internal>; from ggeens@iname.com on Fri, Nov 30, 2001 at 10:28:04PM +0100
References: <Pine.LNX.4.33.0111301442560.1053-100000@gradall.private.brainfood.com> <87wv080x0b.fsf@andor.geens.internal>

On 2001/11/30 22:28
> >>>>> "Adam" == Adam Heath <doogie@debian.org> writes:
> 
> >>>>> "Stefan" == Stefan Gybas wrote:
> Stefan> Fine, and the Debian package uses the same user as Apache
> Stefan> (default: www-data), also for security reasons :)
> 
> Adam> I consider that a bug, and should probably file one. tomcat
> Adam> should not run as the same user as apache, for security reasons.
> 
> It's an option - see /etc/defaults/tomcat
> 
> And out of curiosity: how does that count as a security risk?

Not really a security risk, as it does not open new holes, but running both with the same UIDs means they've got the same permissions on the system. In most cases, the work they do will be very different.. e.g. Tomcat as backend, and has access to everything, listens only to localhost, and Apache (cgi/php whatever) as frontend for the service. Someone gets a shell using an Apache security hole - and has also full access to the backend because it's the same user.

May be paranoid, but these small things are part of the concept which makes unix superior to windows. Just think of all the windows NT machines who have IIS running as root ;)

Regards,
Max

Reply to:

Follow-Ups:
- Re: Tomcat 3.3 / 4.0 ? When?
  - From: Guy Geens <ggeens@iname.com>

Next by Date: Re: Tomcat 3.3 / 4.0 ? When?
Next by thread: Re: Tomcat 3.3 / 4.0 ? When?
Index(es):
- Date
- Thread