Can someone explain to me why logging as the tomcat user is a security risk?
I don't like that behaviour but then again I don't understand it.
Regards,
Wesley Acheson
On Wed, Dec 1, 2010 at 6:41 PM, Mladen Turk <mt...@apache.org> wrote:
> On 12/01/2010 11:55 AM, Gregor Schneider wrote:
>>>
>> Sure, since Apache is usually started within root-context ("sbin") -
>> so that does make sense.
>>
>
> Right but it drops the user to apache if instructed to do so.
> Even then logs are root owned, and this is security
> precaution (like with jsvc)
>
>>
>> And if you take a look into /var/logs, you can see exactly, that the
>> logs inside this directory partly don't belong to root as long as they
>> are not run within a root-context.
>>
>> A good example ist mysql:
>>
>
> This is not good example. mysql doesn't need to run
> on privileged port, and if your tomcat doesn't need to
> run on port 80, and you don't wish to secure your
> installation why using jsvc at the first place?
>
>
> Regards
> --
> ^TM
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
