Ownership of Tomcat files
I have been asked to set up a Tomcat server, and am just grappling with the extensive documentation. It isn't a production site, just a demonstration site for students to play with, but I'm very puzzled by the file ownerships which SuSE set up as they seem to break security principles as well as being inconvenient. When the Tomcat server starts, /etc/init.d/tomcat changes the ownership of all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as the user running the web server. So the web server has write access to its own configuration and to all the pages it serves, which is obviously a potential security hazard. It is also inconvenient, because the local user who owns the pages can no longer change them without asking a superuser. I am using SuSE 9.1 by the way, but it looks very similar on 9.2. Is there a good reason for it being done like this? Forgive me if I have missed something; I know nothing at all about servlets and am just trying to get the server going without expending too much effort. Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London
The files should be owned by wwwrun:root for tomcat
----- Original Message -----
From: "Bob Vickers"
I have been asked to set up a Tomcat server, and am just grappling with the extensive documentation. It isn't a production site, just a demonstration site for students to play with, but I'm very puzzled by the file ownerships which SuSE set up as they seem to break security principles as well as being inconvenient.
When the Tomcat server starts, /etc/init.d/tomcat changes the ownership of all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as the user running the web server. So the web server has write access to its own configuration and to all the pages it serves, which is obviously a potential security hazard. It is also inconvenient, because the local user who owns the pages can no longer change them without asking a superuser.
I am using SuSE 9.1 by the way, but it looks very similar on 9.2.
Is there a good reason for it being done like this? Forgive me if I have missed something; I know nothing at all about servlets and am just trying to get the server going without expending too much effort.
Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 3/11/2005
Bob Vickers
When the Tomcat server starts, /etc/init.d/tomcat changes the ownership
all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as
of the
user running the web server. So the web server has write access to its own configuration and to all the pages it serves, which is obviously a potential security hazard. It is also inconvenient, because the local user who owns the pages can no longer change them without asking a superuser.
I don't use the Tomcat rpm, but I've a 2 servers with apache as a front-end to Tomcat, so apache is running with wwwrun amd tomcat is running with the tomcat user started with "su - tomcat". The permissions of the tomcat folder are set to tomcat.tomcat, before starting, no need of root as tomcat runs on port 8080
Bob Vickers schrieb:
When the Tomcat server starts, /etc/init.d/tomcat changes the ownership of all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as the user running the web server. So the web server has write access to its own configuration and to all the pages it serves, which is obviously a potential security hazard. It is also inconvenient, because the local user who owns the pages can no longer change them without asking a superuser.
Hi, I didn't look at the installation yet, but there are some directories that should be writeable to the webserver. "logs", "work" and in some cases "webapps" comes to my mind. There are even reasons for having the config directories writeable by the webserver... logs is obvious, work is where tomcat stores temporary files, like translated jsp code (if you don't use precompiled webapplications). webapps is where the applications are deployed - though on a production server it is not advisable to auto-deploy applications when *.war files change. Also, if you use the tomcat admin webapplication, the webserver needs write access to its own configuration: choose your poison. I believe that new autodeployed web applications may place context files under conf/Catalina/localhost (in the standard configuration)... Olaf
participants (4)
-
Bob Vickers -
g.lams@itcilo.org -
Harry Crowder -
Olaf Kock