Mark Castillo at [EMAIL PROTECTED] wrote:
> Hi all. I'm new to the list. Sorry if someone has already brought this up,
> but couldn't the code provide some native methods for changing the uid of
> the process after binding to the network ports (if they want to start as
> root, binding to a port < 1024).
It's an experimental feature which is available in our CVS source tree...
You might want to check out the "service" directory in the
"jakarta-tomcat-4.0" CVS repository.
I was supposed to clean it up (see the "jakarta-tomcat-service" CVS
repository) this week, but I was caught by an emergency on some of our
servers, and it's all week I'm securing machines (can't tell you how many
times I ran Nessus this week, and used "chown" and "chmod" - darn I'm
collapsing :)
> Then, the CGI executed would run as a non-root user. The Jigsaw webserver
> does this.
As I said Tomcat (as any other server) should NEVER be run as root... The
only disadvantage is binding to port 80, and that's what the "service" code
is supposed to fix.
> Currently I'm reviewing the Tomcat sources for embedding a servlet engine in
> our application. The application is part of a distributed intrusion
> detection system, which needs some sort of web-based status/admin interface.
Cool, check out Tomcat 4.0's Embedded classes in the o.a.catalina.startup
package. It'll help.
> As for contributing to Tomcat, I'm not sure what needs to be done (bug
> fixing? testing? code review? refactoring?). I'm assuming that the TODO list
> is maintained in CVS? Is there any other software architecture documentation
> besides what's on the jakarta website and the sources?
Err... We don't have a TODO list... :) At least so far for 4.0 :) I'll try
to manage to do something for the WebApp module and the Service code.
Pier
