The user managing web applications under tomcat is often root. Typically root has "umask 755" and this makes sense for many tasks that have to be accomplished as root. However web applications often contain passwords to access for example a database. Therefore, I suggest: 1) make sure that the permissions generated by attributes autoDeploy and unpackWARs are 700 2) add a "permissions" attribute that allows to i) use the default umask if it is set to "umask" ii) set any other octal umask value for this
Can't say that I agree. I would never dream of running my tomcat processes as root neither would I be logged in and manage them as root (tip: sudo). And I would assume the files created by tomcat are using the umask of the tomcat process, didn't even think you could set them from inside Java, but then I might not be up to date with the latezt cool API additions.
Ok, I might have misunderstood somebody such that I thought that tomcat only runs under root which it obviously does not (I tested it now; and yes, even before this post, I did use sudo). In order to avoid novices like myself falling into these traps, I suggest the following 3 enhancements: 1) warn if tomcat sees itself running as "root" and print a tutorial URL into catalina.out 2) warn if tomcat sees its umask as being other than ***7 (i.e. if its output is world-readable) and print the same tutorial URL 3) create the tutorial page how to deploy securely (I am happy to be the first tester/contributor there!) Re: how to set owners/permissions from inside Java --> a quick google search yielded the following (untested) results http://www.aoindustries.com/docs/aocode-public/com/aoindustries/io/unix/UnixFile.html http://www.xenonsoft.demon.co.uk/products/javaunix/docs/api/javaunix/io/UnixFile.html Former "Summary: deploy as 700 and additional attribute to be less restrictive" Further safeguard ideas to achieve secure deployment out of the Java-oriented world (tomcat/ant) are described in http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22370 and http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22417 .
Both of these libraries work via native methods to achieve this. Ant has does not use native methods.
The Tomcat 7 docs include a section on security considerations. I have expanded the OS section for 7.0.7 to cover file permissions, umask etc. I am still thinking about if/how to implement the user, umask etc. checks.
Created attachment 26519 [details] Proposed patch for Tomcat 7 This patch adds a new listener that checks the user Tomcat is running as and the umask being used.
I have added the listener to 7.0.x and it will be included in 7.0.9 onwards. It has not been enabled by default as it may break current configurations such as IDE environments. It will be enabled by default in Tomcat 8.