-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 5/13/20 02:48, logo wrote: > Hi calder, > > >> Am 13.05.2020 um 04:59 schrieb calder <calder....@gmail.com>: >> >> On Tue, May 12, 2020, 21:48 kohmoto <kohm...@iris.eonet.ne.jp> >> wrote: >> >>> Hi, Calder, >>> >>> Thank you for your prompt reply. I think Tomcat binary files >>> all have root priviledges. Should these priviledges should be >>> changed to user priviledges? >>> >> >> >> Yes. > > I would suggest to leave the binaries and maybe even config files > to root or any other admin. So a hacked tomcat process under tomcat > user will not be able to exchange config or even binaries. Yes! There really is no need for Tomcat to modify its own config files or binaries. > That will only work if the config will not be changed via > host-manager or programmatically. This shouldn't be too much of a problem. Not many people use the host-manager. > In the past we even held the installed webapps under a different > user. but that maybe difficult in automated deployments. This is less important IMO. The owner of the files can be anybody... just not the Tomcat user. And, before anybody says "but.. but... Docker!" you should remember that root in a Docker container often ends up having many more privileges outside the container than you think it does/should. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8 pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4 LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa 5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc= =V1n4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
