You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bh...@ThoughtWorks.com on 2001/01/06 00:47:30 UTC
Tomcat can be shutdown by ANYONE.
I have tried to run Tomcat 3.2.1 as nobody then on another shell login as
my id ( eg barrow ), and run TOMCAT_HOME/bin/shutdown.sh. I can
successfully bring tomcat.
I also tried to run Tomcat 3.2.1 as root and I can also shutdown Tomcat
3.2.1 as my id ( eg. barrow ).
Unless I did my configuration wrong; otherwise, anyone who have access to
my Linux box will be above to shutdown Tomcat without any notice..
PS: my id - bhkwan, doesn't have super user privilege. It is just a regular
user account.
RE: Tomcat can be shutdown by ANYONE.
Posted by Paulo Gaspar <pa...@krankikom.de>.
AFAIK from answers to similar postings, a Tomcat server accepts as valid
any shutdown request coming from the same machine where it is running.
Remember that the shutdown request is just another request sent trough
sockets. All the server can check is the address it came from.
I think (you should check) that this request is sent to the AJP port
(8007). So, if you use Tomcat standalone, maybe you can just disable
this port by commenting out the AJP12 connector tags in
tomcat/conf/server.xml
But then, even if this works, you will not be able to gracefully
terminate Tomcat anymore - you will always have to kill it (or "break
it").
Have fun,
Paulo Gaspar
> -----Original Message-----
> From: bhkwan@ThoughtWorks.com [mailto:bhkwan@ThoughtWorks.com]
> Sent: Saturday, January 06, 2001 00:48
> To: tomcat-dev@jakarta.apache.org
> Subject: Tomcat can be shutdown by ANYONE.
>
>
> I have tried to run Tomcat 3.2.1 as nobody then on another shell login as
> my id ( eg barrow ), and run TOMCAT_HOME/bin/shutdown.sh. I can
> successfully bring tomcat.
>
> I also tried to run Tomcat 3.2.1 as root and I can also shutdown Tomcat
> 3.2.1 as my id ( eg. barrow ).
>
> Unless I did my configuration wrong; otherwise, anyone who have access to
> my Linux box will be above to shutdown Tomcat without any notice..
>
> PS: my id - bhkwan, doesn't have super user privilege. It is just
> a regular
> user account.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org
>
Re: Tomcat can be shutdown by ANYONE.
Posted by Nick Bauman <ni...@cortexity.com>.
On Fri, 5 Jan 2001, Jon Stevens wrote:
> on 1/5/2001 7:00 PM, "Nick Bauman" <ni...@cortexity.com> wrote:
>
> > Permissions 500 and ownership as nobody on the shutdown script should do
> > it. In an rc script you can change ownshership before booting the server
> > like so:
> >
> > echo "/usr/local/jakarta-tomcat-3.2/bin/startup.sh &" | su nobody
> >
> > Works dandy over here.
>
> So, what prevents someone from executing their own copy of the shutdown
> script?
Nothing! =)
>
> -jon
>
>
--
Nicolaus Bauman
Software Engineer
Simplexity Systems
Re: Tomcat can be shutdown by ANYONE.
Posted by Jon Stevens <jo...@latchkey.com>.
on 1/5/2001 7:00 PM, "Nick Bauman" <ni...@cortexity.com> wrote:
> Permissions 500 and ownership as nobody on the shutdown script should do
> it. In an rc script you can change ownshership before booting the server
> like so:
>
> echo "/usr/local/jakarta-tomcat-3.2/bin/startup.sh &" | su nobody
>
> Works dandy over here.
So, what prevents someone from executing their own copy of the shutdown
script?
-jon
--
Honk if you love peace and quiet.
Re: Tomcat can be shutdown by ANYONE.
Posted by Nick Bauman <ni...@cortexity.com>.
Permissions 500 and ownership as nobody on the shutdown script should do
it. In an rc script you can change ownshership before booting the server
like so:
echo "/usr/local/jakarta-tomcat-3.2/bin/startup.sh &" | su nobody
Works dandy over here.
On Fri, 5 Jan 2001 bhkwan@ThoughtWorks.com wrote:
> I have tried to run Tomcat 3.2.1 as nobody then on another shell login as
> my id ( eg barrow ), and run TOMCAT_HOME/bin/shutdown.sh. I can
> successfully bring tomcat.
>
> I also tried to run Tomcat 3.2.1 as root and I can also shutdown Tomcat
> 3.2.1 as my id ( eg. barrow ).
>
> Unless I did my configuration wrong; otherwise, anyone who have access to
> my Linux box will be above to shutdown Tomcat without any notice..
>
> PS: my id - bhkwan, doesn't have super user privilege. It is just a regular
> user account.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org
>
--
Nicolaus Bauman
Software Engineer
Simplexity Systems