Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Tomcat running as root
  • From: Olaf Kock <suse@xxxxxxxxxxx>
  • Date: Mon, 25 Feb 2002 09:34:13 +0100
  • Message-id: <3C79F705.B210D9F3@xxxxxxxxxxx>

Hi,

I've contacted security@xxxxxxx twice with this topic - no reply. Having
detected that the default implementation of tomcat (Java servlet
container and webserver) is started as root and doesn't change its
identity, I'm quite alarmed.

Thought everybody running tomcat should know this - especially when you
allow foreign code (servlets) to be executed on your server. I believe
it'd be better to change the startup script to use "sudo" to run as some
other user (wwwrun?).

Hopefully somebody at SuSE will react to this posting and change this
default behaviour in the next version or security update.

Regards,

Olaf

--

abstrakt gmbh
Behringstrasse 16b
22765 Hamburg
Tel: +49-40-39804630
Fax: +49-40-39804639
http://www.abstrakt.de/

Wir sind umgezogen. Bitte beachten Sie
die neue Adresse + Telefonnr.

< Previous Next >
Follow Ups