On 2001/11/30 22:28
> >>>>> "Adam" == Adam Heath <[EMAIL PROTECTED]> writes:
> 
> >>>>> "Stefan" == Stefan Gybas wrote:
> Stefan> Fine, and the Debian package uses the same user as Apache
> Stefan> (default: www-data), also for security reasons :)
> 
> Adam> I consider that a bug, and should probably file one. tomcat
> Adam> should not run as the same user as apache, for security reasons.
> 
> It's an option - see /etc/defaults/tomcat
> 
> And out of curiosity: how does that count as a security risk?


Not really a security risk, as it does not open new holes, but running both with the 
same UIDs means they've got the same permissions on the system. In most cases, the 
work they do will be very different.. e.g. Tomcat as backend, and has access to 
everything, listens only to localhost, and Apache (cgi/php whatever) as frontend for 
the service. Someone gets a shell using an Apache security hole - and has also full 
access to the backend because it's the same user.

May be paranoid, but these small things are part of the concept which makes unix 
superior to windows. Just think of all the windows NT machines who have IIS running as 
root ;)

Regards,
Max


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to