Hi, Linux newbie calling for -conceptual- help! I am interested in the topic of configuring services, Java based services (web servers + servlet engines) in particular. I have seen a lot that most Linux gurus agree that no service should start with root credentials, and some of them insist in using something called chroot. My question and doubts: 1) If Java does not suffer from buffer overflow attacks (right?), why is so important to run a WebServer under other user's credentials?, assuming the WebServer DOES NOT contain a severe security hole, one that may allow to run O.S. commands to delete directories and so on. 2) Somewhere I read that even after assigning a secure credential to a servlet engine running as a service, it was possible for the servlet engine to access files in other directories, and because of this it was necessary to use chroot, which seemed to me a pain in the class, after I read the step-by-step tutorial. Why a servlet engine can access certain directories if it is using a non-root credential? is this information correct? 3) Is startproc the right tool to launch a java process with a secure user credential (a non root credential)? Thank you very much for your replies. Martin - http://java.megaserv.com (Java Portal in spanish)