Things like:
Change files in CATALINA_HOME/conf to be readonly (400)
...
Rename CATALINA_HOME/conf/server.xml to ...
won't work for dummies (due to missing rights) if they'll follow the
guide step by step.
You're right, the ordering is perhaps a little confusing. The
article is not aimed specifically at people who are new to sysadmin
work, rather those who are new to (or just in doubt of how to secure)
tomcat. I'd hope these people would realise they have to make a file
writable before they try to edit it.
Anyway: AFAIR (can't reach owasp.org atm) the Article mentions
putting httpd
in front of Tomcat as one means among others to work around the
fact that on
Unix-like systems Tomcat alone can't bind to port 80 if running
under a
restricted account.
I think the 'running on port 80' section needs some rewording as I'm
not advocating that putting IIS or apache infront of your tomcat
installation will make it any more secure. As a sysadmin you may be
asked to serve tomcat based pages on port 80 so it is presenting the
options without bias towards any of them. Perhaps I need to add some
bias, from a security perspective, to prevent misunderstanding ...
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
