[csw-users] Tomcat 5 Running as Root

James Lee james at blastwave.org
Wed Oct 5 15:37:34 CEST 2005


On 04/10/05, 05:10:24, Eric Enright <eric.enright at gmail.com> wrote
regarding [csw-users] Tomcat 5 Running as Root:

> Is there any reason why Tomcat 5 runs as root?

Because root starts the /etc/rc?.d/ scripts and nothing changes the
user.  This is normal for Tomcat but I think wrong.

You have to run as root to open the privileged ports (< 1024). The
normal workaround is to use higher ports (8080) and somehow map to
80.

Tomcat can't change user because Java can't setuid.  This can be done
during start up by invoking with su.


> I was able to display my
> /etc/shadow through a servlet of mine that did not screen for "../".

You can code most things in a servlet so you are right to not want
them run as root.


> Through
> some minor twiddling I have it running as nobody now, with no ill-effect.

Make sure the logs have permission.  Once set running as nobody should
not be a problem.  Put you own work and logs outside /opt/csw.


Note that CSWjetty5 (the Jetty Java HTTP Server and Servlet Container)
will start as nobody or you can set the user with the env var JETTY_USER.
Tomcat could do the same.  Please make a request for change to CSWtomcat5
via:
    http://www.blastwave.org/bugtrack/





James.



More information about the users mailing list