Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] Tomcat running as root
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Mon, 25 Feb 2002 13:36:58 +0100 (MET)
  • Message-id: <Pine.LNX.4.44.0202251331230.8045-100000@xxxxxxxxxxxx>
> I've contacted security@xxxxxxx twice with this topic - no reply. Having
> detected that the default implementation of tomcat (Java servlet
> container and webserver) is started as root and doesn't change its
> identity, I'm quite alarmed.

I'm sorry that we couldn't get back to you yet - we've been quite busy
lately, and other security problems are eating up our time.

> Thought everybody running tomcat should know this - especially when you
> allow foreign code (servlets) to be executed on your server. I believe
> it'd be better to change the startup script to use "sudo" to run as some
> other user (wwwrun?).
> Hopefully somebody at SuSE will react to this posting and change this
> default behaviour in the next version or security update.

We'll dig into it, yes. This issue is not nice, but it doesn't qualify
for high priority.

Thank you again for your patience.

> Regards,
> Olaf

- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

< Previous Next >