Hi, I've contacted security@suse.de twice with this topic - no reply. Having detected that the default implementation of tomcat (Java servlet container and webserver) is started as root and doesn't change its identity, I'm quite alarmed. Thought everybody running tomcat should know this - especially when you allow foreign code (servlets) to be executed on your server. I believe it'd be better to change the startup script to use "sudo" to run as some other user (wwwrun?). Hopefully somebody at SuSE will react to this posting and change this default behaviour in the next version or security update. Regards, Olaf -- abstrakt gmbh Behringstrasse 16b 22765 Hamburg Tel: +49-40-39804630 Fax: +49-40-39804639 http://www.abstrakt.de/ Wir sind umgezogen. Bitte beachten Sie die neue Adresse + Telefonnr.