Date: Sat, 30 Jul 2005 10:37:55 +0100 (BST) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Herve Quiroz <herve.quiroz@esil.univ-mrs.fr> Cc: freebsd-java@freebsd.org Subject: Re: Tomcat 5.5 --- tomcat55ctl --- increase max vm heap space ? Message-ID: <Pine.GSO.4.62.0507301032250.27521@mail.ilrt.bris.ac.uk> In-Reply-To: <20050729132848.GA96141@arabica.esil.univ-mrs.fr> References: <88B5DDE8C1A06741B754B910DE2DEFBB49AA2A@HERMES.swistgroup.com> <Pine.LNX.4.44.0507201730530.32505-100000@matrix.gatewaynet.com> <20050725212138.GA13849@arabica.esil.univ-mrs.fr> <20050726192511.GD56293@osiris.chen.org.nz> <20050729132848.GA96141@arabica.esil.univ-mrs.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 29 Jul 2005, Herve Quiroz wrote:
> This leaves us with the following choice: should we enforce strong
> security (i.e. PR 83434) and use ${name}_user from rcNG or should we
> allow the daemon to open port 80 (running the daemon as superuser)? I
> definitively believe we should go for security first. User can just set
> tomcat55_user=root when then need to.
As the submitter of that PR, let me say that I certainly agree with the
"security first" approach, and don't atually think it'll hugely impact
general tomcat use. Certainly my production tomcats sit on high ports
and get requests via AJP; there are also alternative cheap and effective
ways of getting traffic from port 80 to a high tomcat port (balance, pf
rdr) and for development on a workstation you generally don't need to be
running on "production" ports anyway.
> Either way, I don't see any more reason to use daemonctl.c, unless I
> missed (or misunderstood) some point here.
>
> The ports freeze is due to 1st of August, which leaves us with no much
> time to implement the chosen approach. IMHO, such change right before a
> release is no good anyway. OTOH, I think we should settle this issue
> once and for all so that I may commit the changes right when the freeze
> is over.
In a similar vein, we could also do with making sure that the "www"
users (or whatever tomcat is running as) doesn't wind up owning the PID
file if at all possible, unless any signals to the process are also
sent as that user.
--
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44 (0)117 9287088 or 3317661 http://ioctl.org/jan/
Strive to live every day as though it was last Wednesday.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.62.0507301032250.27521>