On Sat, 18 Aug 2001, Mark Castillo wrote:
> Hi all. I'm new to the list. Sorry if someone has already brought this up,
> but couldn't the code provide some native methods for changing the uid of
> the process after binding to the network ports (if they want to start as
> root, binding to a port < 1024).
> Then, the CGI executed would run as a non-root user. The Jigsaw webserver
> does this.
>
This could certainly be done, at the cost of the native methods (of
course) being platform dependent. The current implementation runs CGI
scripts under the same username as Tomcat itself runs -- which should
*not* be root.
To deal with port < 1024, there is already functionality that lets Tomcat
start up as root and then switch to a non-privileged user (same as Apache
does in order to bind to port 80).
> Currently I'm reviewing the Tomcat sources for embedding a servlet engine in
> our application. The application is part of a distributed intrusion
> detection system, which needs some sort of web-based status/admin interface.
>
For embedding, you might want to look in particular at the
org.apache.catalina.startup.Embedded class. This lets you "roll your
own" Tomcat configuration without using server.xml, if it suits your needs
better. The J2EE reference implementation from Sun, for example, uses
this technique to configure it's embedded Tomcat 4 instance.
At the bottom of this class is a main() method that you can use as an
example. It sets up an environment pretty similar to what the default
server.xml setup creates.
> As for my experience, I've been using Java since it first came out. As a
> software engineer I mainly work on concurrent, OO, server based
> applications, design patterns, refactoring, blah, blah.
>
> As for contributing to Tomcat, I'm not sure what needs to be done (bug
> fixing? testing? code review? refactoring?). I'm assuming that the TODO list
> is maintained in CVS? Is there any other software architecture documentation
> besides what's on the jakarta website and the sources?
>
All of the above, plus docs. What you see is pretty much all there is at
the moment, which is why I would add docs to your list. (The TODO itself
is a little out of date, I'll be updating it soon -- but don't let
something not on the TODO constrain you from suggesting something new).
The "rules and regulations" for contributing to Jakarta projects are on
the Jakarta web site, starting at:
http://jakarta.apache.org/site/getinvolved.html
Welcome!
Craig
>
>
>
> ----- Original Message -----
> From: "Christopher Cain" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, August 18, 2001 3:17 PM
> Subject: Re: CGI wrapper in Tomcat 4.0 b7
>
>
> > Quoting "Pier P. Fumagalli" <[EMAIL PROTECTED]>:
> >
> > > (BTW, wouldn't it be wise to disable CGI execution in the default
> > > configuration? I don't know, after hearing people running Tomcat as
> > > root, I feel we really should!)
> >
> > +1
>
>
