Hi, Logo,
My current practice is as you suggest.
Thank you for your advice.
Yours truly,
Kazuhiko Kohmoto
On 2020/05/13 15:48, logo wrote:
Hi calder,
Am 13.05.2020 um 04:59 schrieb calder <calder....@gmail.com>:
On Tue, May 12, 2020, 21:48 kohmoto <kohm...@iris.eonet.ne.jp> wrote:
Hi, Calder,
Thank you for your prompt reply.
I think Tomcat binary files all have root priviledges.
Should these priviledges should be changed to user priviledges?
Yes.
I would suggest to leave the binaries and maybe even config files to root or
any other admin. So a hacked tomcat process under tomcat user will not be able
to exchange config or even binaries.
That will only work if the config will not be changed via host-manager or
programmatically.
In the past we even held the installed webapps under a different user. but that
maybe difficult in automated deployments.
My 2cts.
Peter
There is a "Tomcat Security" guide at the Tomcat website. Also, Mulesoft
has a good guide
https://www.mulesoft.com/tcat/tomcat-security
Your truly,
Kazuhiko Kohmoto
On 2020/05/13 11:17, calder wrote:
If TC, running as root, is ever compromised, the compromising user
(attacker) can gain access to the whole of the system. The attacker
could
execute any arbitrary command available on the system. They could remove
files, or install malicious software.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
