Known cases of system compromise due to running Apache Tomcat as root

In section 2.1 of "Tomcat: The Definitive Guide" 2nd edition, the authors write, "...we have not heard even a single reported incident where a machine's security was compromised because Tomcat was running as root."

Does anybody know if that claim still stands?

asked by x77686d

I am not aware of a case, but that doesn't mean it hasn't happened.

Running as root is discouraged because an attacker who manages to compromise a server will then have substantially increased ability to further attack the system.

The nature of the question indicates that a Unix-like system is in use, which also means that iptables or ipfw are likely to be available - making it possible, trivial even, to run Tomcat on a port higher than 1024 under a dedicated user.

Using iptables:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080

or ipfw (BSD / OS X):

ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in

The jsvc (called tomcat-native in Tomcat 7.0) unix daemon is shipped with each release, starts as root, but runs Tomcat under a specified user, also making it simple to place a service control script in /etc/init.d/.

Security and hardening aren't just a matter of protecting a single server - one compromised server inside a network can easily lead to more machines being attacked and compromised both inside an enterprise and outside.

When it's this easy to run Tomcat with it's own user account, there's really no reason not to.