From owner-freebsd-java@FreeBSD.ORG  Mon May 26 08:08:08 2003
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
Delivered-To: freebsd-java@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C45CE37B401
	for <freebsd-java@freebsd.org>; Mon, 26 May 2003 08:08:08 -0700 (PDT)
Received: from yello.shallow.net (yello.shallow.net [203.18.243.120])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C8CB043F93
	for <freebsd-java@freebsd.org>; Mon, 26 May 2003 08:08:07 -0700 (PDT)
	(envelope-from joshua@shallow.net)
Received: by yello.shallow.net (Postfix, from userid 1001)
	id 80CEF29B9; Tue, 27 May 2003 01:08:06 +1000 (EST)
Date: Tue, 27 May 2003 01:08:06 +1000
From: Joshua Goodall <joshua@roughtrade.net>
To: Roberto Nunnari <nunnari@die.supsi.ch>
Message-ID: <20030526150806.GA538@roughtrade.net>
References: <3ED20627.6090308@die.supsi.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3ED20627.6090308@die.supsi.ch>
User-Agent: Mutt/1.5.3i
cc: freebsd-java@freebsd.org
Subject: Re: tomcat on port 80 as user www:ww
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2003 15:08:09 -0000

On Mon, May 26, 2003 at 02:18:47PM +0200, Roberto Nunnari wrote:
> What about running jakarta-tomcat4.1 as user www:www on port 80?
> I don't need apache, so I run tomcat on port 80, but I can only
> run it as root...
> 
> Any known security issues with running jakarta-tomcat4.1 as user root?

Let me rephrase that for you.

"Any known security issues with running {APPLICATION} as user root?"

The answer is always yes.  Anyone telling you otherwise is not fit
to manage a server.  Well-written daemons that listen on privileged
ports change their uid as soon as possible.

Instead, I recommend investigating the possibilities of natd & divert
sockets.

Regards,
Joshua.