I think I can limit a few of the ROOT actions required. The servlet application needs to do things like mkfs, vgcfgrestore, vgchange, mount and umount.
On Tuesday 01 August 2006 13:46, Peter Crowther wrote: > > From: Paul McMahon [mailto:[EMAIL PROTECTED] > > Is it possible to run Tomcat as non ROOT, > > but have a servlet that needs ROOT access? > > No. > > > Or is the solution to have the servlet application code > > running as a separate > > daemon outside tomcat, with some form of comms to tomcat > > servlet when tasks need to be done? > > That would be my preference if I were implementing this. How much of > your 'servlet application code' *actually* needs root access? Can you > partition into a small piece that does, and most that doesn't? > Minimising your attack surface in this way would probably be useful. > > Can you give us any more information about what you're doing that > requires root? Does it *have* to require root, or can the requirement > be reduced so that a non-root Tomcat can also do the same thing? In one > sense this opens up an alternative hole; in another, depending on what > you're doing, that may be better than allowing unrestricted root access > to all tasks. > > - Peter > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- -Paul McMahon -01763 261 466 ext 569 --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]