WebApp Sec mailing list archives
Re: Tomcat on port 80 or Java as root
From: Aleksi Kallio <aleksi.kallio () csc fi>
Date: Fri, 12 Mar 2004 16:54:41 +0200
> AFAIK tomcat is a servlet container running on apache.> well... apache webserver should never be run as "root" for various security
> reasons. >Tomcat was running on Apache years ago. Nowadays Tomcat is a standalone web+application server.
It is true that running Tomcat with root privileges is not a good idea, though Tomcat has quite a good track record in security. The problem is that Tomcat is 100% Java and OS-dependant stuff like changing to lesser than root permissions after startup is not possible. Of course you can run in >1024 ports, but if you want to use 80, there are at least two good possibilities:
- Use Apache as front end and mod_jk2/AJP for communication between Apache and Tomcat
- Use iptables to route traffic between 80 and the actual port Tomcat usesThe AJP-protocol could be documented a lot better and the Apache-Tomcat cooperation requires some extra configuring, so I would recommend the latter one. It has worked perfectly and takes twenty seconds to implement.
Current thread:
- Tomcat on port 80 or Java as root Rajkumar S (Mar 11)
- RE: Tomcat on port 80 or Java as root Harshul Nayak (Mar 12)
- Re: Tomcat on port 80 or Java as root Rajkumar S (Mar 13)
- Re: Tomcat on port 80 or Java as root Aleksi Kallio (Mar 13)
- Re: Tomcat on port 80 or Java as root Dave Ockwell-Jenner (Mar 13)
- Re: Tomcat on port 80 or Java as root David Wall @ Yozons, Inc. (Mar 13)
- Re: Tomcat on port 80 or Java as root George Georgalis (Mar 13)
- RE: Tomcat on port 80 or Java as root urgoez (Mar 13)
- <Possible follow-ups>
- Re: Tomcat on port 80 or Java as root Daniel (Mar 12)
- RE: Tomcat on port 80 or Java as root Marc Deglos (Mar 12)
- Re: Tomcat on port 80 or Java as root Rajkumar S (Mar 13)
- Re: Tomcat on port 80 or Java as root Grega Bremec (Mar 14)
- RE: Tomcat on port 80 or Java as root Martin Gil (Mar 13)
- Re: Tomcat on port 80 or Java as root d31ik47 (Mar 13)
(Thread continues...)
- RE: Tomcat on port 80 or Java as root Harshul Nayak (Mar 12)