1 Reply Latest reply on Feb 14, 2012 10:47 AM by Wolf-Dieter Fink

    Jboss installation and security

    Kevin Ogilvie Newbie

      Hi

       

      First and foremost, I am new to this group and wish everyone a big hello

       

      I have just started dealing with the jboss administrators in my company and had a chance to look at their production jboss installation.

       

      I was suprised that they have installed the jboss application as root, thus all the files are owned as root but they are running the server as jboss/jboss.

      When I questioned why the installation files were not owned by jboss they told me this was against general java security policies.

       

      Now I'm no spring chicken, I've been working with Java for at least 15 years and I was always under the impression that running server applications as root was like opening pandoras box.

      I have searched the web for further advise on security around the installation of server instances but found very little.

       

      Is it correct to run a jboss application with all files owned by root?

       

      Can anyone point me to any information that would confirm or deny that this is the correct way of running a production system

       

      Any help would be gratefully received

       

      regards

       

      Kevin

        • 1. Re: Jboss installation and security
          Wolf-Dieter Fink Master

          I never run a JBoss installation installed as root.

          It is a Java based server and I see no reason for that.

          I alway install (unpack) and run the JBoss under a specific user. Often you do not have the root permission in a productive environment.

          I'm not sure whether there are security leaks without applications, but a deployed application might damage the system if the process is with root access.

           

          I'm not sure but I think you won't find such an installation document. But also there is no documentation that say you have to install with root access