I've contacted security@suse.de twice with this topic - no reply. Having detected that the default implementation of tomcat (Java servlet container and webserver) is started as root and doesn't change its identity, I'm quite alarmed.
I'm sorry that we couldn't get back to you yet - we've been quite busy lately, and other security problems are eating up our time.
Thought everybody running tomcat should know this - especially when you allow foreign code (servlets) to be executed on your server. I believe it'd be better to change the startup script to use "sudo" to run as some other user (wwwrun?).
Hopefully somebody at SuSE will react to this posting and change this default behaviour in the next version or security update.
We'll dig into it, yes. This issue is not nice, but it doesn't qualify for high priority. Thank you again for your patience.
Regards,
Olaf
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -