Quoting Martin van den Bemt <[EMAIL PROTECTED]>:
> point taken about the root thing..
> I took back my words on that it safe to run as root (as quoted in my
> mail to Pier).
Cool. As I said, I had't really read the thread. I wasn't singling you out, I
just wanted to make a definitive comment for the benefit of anyone listening.
Alot of people don't run Linux :-( ... so I was mainly giving a
reasonable "party line" for the benefit of anyone who might be listening.
> But the message I was trying to give was : who are we to tell people not
> to run as root as the default tomcat installation already is hackable in
> 5 minutes?? (at least by Pier..).
Actually, the more vulnerable you you find Tomcat, the more you should be
SCREAMING for people not to run it as root. If a properly-running Tomcat has a
vulnerability, that's one thing. At least an attacker only has the same
privileges as Tomcat, and he/she will have to find some other way to get root.
If Tomcat can be had AND it is running as root ... time to bend over and grab
your ankles ;-)
Your larger point is well-taken, though. You're certainly not going to get ANY
arguments from me on adding as much security-related info to the docs as we can
possibly cram in there. :)
> Let's first get that thing ok and send a security advisory or something???
> Pier gave a good tip that he could write one in 5 minutes, so other people
> are bound to try that.. A message like :
>
> The default installation of tomcat needs to be adjusted when using the
> ajp protocol, so it only accepts connections from the 127.0.0.1 address.
> You must edit the entries <blah><blah> and add the address="127.0.0.1".
Actually, one could be running Tomcat on a different box than Apache, so the
exact message would need to read something like "be sure to set the ajp
protocol to only accept connections from the IP address of your HTTP server."
Dunno about a security advisory. Tomcat standalone is my particular specialty,
so I can't really speak to the possible extent of an Apache+Tomcat problem.
> Also some things you have to keep in mind when setting up ANY
> software, which also includes tomcat :
>
> - don't run as root
> - apply patches to your webserver
Sounds good to me.
> - watch webdav modules if you run as root
No, no, no ... don't even give them the IDEA of running it as root. =)
> - etc,etc,etc,..
>
> Let's get this done before someone finishes that little program...
> Instead of waiting for the first problem and really be on the news..
Sounds good. I'm in favor of all of this, and I assume that since you are using
terms like "let's get this done," we can expect to see your proposed doc
shortly ;-)
Seriously, though, I would be willing to help you out on this. If you would
like to submit a proposed "SECURITY.txt" doc, I will personally look it over
and help out with any changes/additions for a final version. Include all of the
stuff that you and Pier discovered, I'll have a go at anything I am aware of,
then we'll let Craig work his editing/mark-up magic ;-)
> Pleae focus the reply on the server.xml issue instead of saying we
> don't need to run as root, we got the point a couple of threads back.. I want
> to hear about this issue, which we actually have CONTROL over!
Again, *you* have as much control as anyone when it comes to docs. I don't know
the first thing about AJP, so I'm afraid I really can't help you out there,
tough guy.
You are still writing things like, "who are we to tell people not to run as
root as the default tomcat installation already is hackable in 5 minutes"
(which is EXACTLY why you want to tell people NOT to run it as root),
and "watch webdav modules if you run as root", so honestly I feel pretty
justified in having continued the "Don't Run as Root" train of thought.
Anyway, it does no good to argue, since we all want the same thing. As I said,
I wasn't singling you out, I just wanted to explain in more detail the precise
reasons why it shouldn't be run as root, in case users should ever ask "Why?".
Like I said before, I actually think it's cool that you even CARE enough about
security to make a big deal out of it =)
> The worst thing that can happen is that my cat can even break into
> tomcat if someone made a nice ajp client...
Now I *know* that Gomez is on vacation (given the deafening silence) :)
Did you know that your average French worker gets 75% more vacation time at
their job than the average American worker? I've heard that it's similar in
most other European countries, as well. *sigh*
- Christopher
