-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Luca,
On 6/23/2010 3:18 AM, Luca Gervasi wrote: > Hi guys, thanks for answering me. > > Tomcat uses a low privilege user and the system-wide permissions are > thus enforced by OS but...i can still read all the istance-wide files > (tomcat-users.xml, server.xml and any other 644 file). > > I'm starting to read about SecurityManager, but i think that this should > be the answer i was looking for :) If you don't trust your webapps, your options are as previously-stated: SecurityManager and/or chroot jail for Tomcat/JVM. Using a chroot jail won't prevent hostile/untrustworthy webapps from reading server.xml, etc. so the SecurityManager is really the way to go. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwie+EACgkQ9CaO5/Lv0PB/+QCdFd3VK23wh7myZiR2tLpINf3D 0h4AoKIOhdWx0c7YoK+0p5Wus+AMIfyn =R9Ge -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
