Summary: | warn if not deploy with umask "0077" or if deployed as "root" and provide tutorial URL "Secure deployment" | ||
---|---|---|---|
Product: | Tomcat 4 | Reporter: | Ralf Hauser <hauser> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | netshark |
Priority: | P3 | ||
Version: | 4.1.24 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | other | ||
URL: | http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Automatic%20Application%20Deployment | ||
Attachments: | Proposed patch for Tomcat 7 |
Description
Ralf Hauser
2003-08-14 07:28:19 UTC
Can't say that I agree. I would never dream of running my tomcat processes as root neither would I be logged in and manage them as root (tip: sudo). And I would assume the files created by tomcat are using the umask of the tomcat process, didn't even think you could set them from inside Java, but then I might not be up to date with the latezt cool API additions. Ok, I might have misunderstood somebody such that I thought that tomcat only runs under root which it obviously does not (I tested it now; and yes, even before this post, I did use sudo). In order to avoid novices like myself falling into these traps, I suggest the following 3 enhancements: 1) warn if tomcat sees itself running as "root" and print a tutorial URL into catalina.out 2) warn if tomcat sees its umask as being other than ***7 (i.e. if its output is world-readable) and print the same tutorial URL 3) create the tutorial page how to deploy securely (I am happy to be the first tester/contributor there!) Re: how to set owners/permissions from inside Java --> a quick google search yielded the following (untested) results http://www.aoindustries.com/docs/aocode-public/com/aoindustries/io/unix/UnixFile.html http://www.xenonsoft.demon.co.uk/products/javaunix/docs/api/javaunix/io/UnixFile.html Former "Summary: deploy as 700 and additional attribute to be less restrictive" Further safeguard ideas to achieve secure deployment out of the Java-oriented world (tomcat/ant) are described in http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22370 and http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22417 . Both of these libraries work via native methods to achieve this. Ant has does not use native methods. The Tomcat 7 docs include a section on security considerations. I have expanded the OS section for 7.0.7 to cover file permissions, umask etc. I am still thinking about if/how to implement the user, umask etc. checks. Created attachment 26519 [details]
Proposed patch for Tomcat 7
This patch adds a new listener that checks the user Tomcat is running as and the umask being used.
I have added the listener to 7.0.x and it will be included in 7.0.9 onwards. It has not been enabled by default as it may break current configurations such as IDE environments. It will be enabled by default in Tomcat 8. |