Bug 22405 - warn if not deploy with umask "0077" or if deployed as "root" and provide tutorial URL "Secure deployment"
Summary: warn if not deploy with umask "0077" or if deployed as "root" and provide tut...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 4
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 4.1.24
Hardware: Other other
: P3 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL: http://jakarta.apache.org/tomcat/tomc...
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-14 07:28 UTC by Ralf Hauser
Modified: 2011-02-23 14:26 UTC (History)
1 user (show)



Attachments
Proposed patch for Tomcat 7 (16.93 KB, patch)
2011-01-19 13:45 UTC, Mark Thomas
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Hauser 2003-08-14 07:28:19 UTC
The user managing web applications under tomcat is often root.
Typically root has "umask 755" and this makes sense for many tasks that have to
be accomplished as root.

However web applications often contain passwords to access for example a database.
Therefore, I suggest:
1) make sure that the permissions generated by attributes autoDeploy and
unpackWARs are 700
2) add a "permissions" attribute that allows to 
   i) use the default umask if it is set to "umask"
   ii) set any other octal umask value for this
Comment 1 Martin Algesten 2003-08-14 09:47:46 UTC

Can't say that I agree. I would never dream of running my tomcat processes as root neither would I 
be logged in and manage them as root (tip: sudo). And I would assume the files created by tomcat 
are using the umask of the tomcat process, didn't even think you could set them from inside Java, 
but then I might not be up to date with the latezt cool API additions.
Comment 2 Ralf Hauser 2003-08-14 14:12:27 UTC
Ok, I might have misunderstood somebody such that I thought that tomcat only
runs under root which it obviously does not (I tested it now; and yes, even
before this post, I did use sudo).

In order to avoid novices like myself falling into these traps, I suggest the
following 3 enhancements:
1) warn if tomcat sees itself running as "root" and print a tutorial URL into
   catalina.out
2) warn if tomcat sees its umask as being other than ***7 (i.e. if its output
   is world-readable) and print the same tutorial URL
3) create the tutorial page how to deploy securely (I am happy to be the first
   tester/contributor there!)

Re: how to set owners/permissions from inside Java
  --> a quick google search yielded the following (untested) results
http://www.aoindustries.com/docs/aocode-public/com/aoindustries/io/unix/UnixFile.html
http://www.xenonsoft.demon.co.uk/products/javaunix/docs/api/javaunix/io/UnixFile.html

Former "Summary: deploy as 700 and additional attribute to be less restrictive"

Further safeguard ideas to achieve secure deployment out of the Java-oriented
world (tomcat/ant) are described in
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22370 and
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22417 .
Comment 3 J.M. (Martijn) Kruithof 2003-08-14 14:50:25 UTC
Both of these libraries work via native methods to achieve this. Ant has does
not use native methods.
Comment 4 Mark Thomas 2011-01-18 20:07:00 UTC
The Tomcat 7 docs include a section on security considerations. I have expanded the OS section for 7.0.7 to cover file permissions, umask etc.

I am still thinking about if/how to implement the user, umask etc. checks.
Comment 5 Mark Thomas 2011-01-19 13:45:40 UTC
Created attachment 26519 [details]
Proposed patch for Tomcat 7

This patch adds a new listener that checks the user Tomcat is running as and the umask being used.
Comment 6 Mark Thomas 2011-02-23 14:26:21 UTC
I have added the listener to 7.0.x and it will be included in 7.0.9 onwards.

It has not been enabled by default as it may break current configurations such as IDE environments. It will be enabled by default in Tomcat 8.