Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Ownership of Tomcat files
  • From: Olaf Kock <suse@xxxxxxxxxxx>
  • Date: Tue, 15 Mar 2005 17:24:29 +0100
  • Message-id: <42370C3D.7040200@xxxxxxxxxxx>
Bob Vickers schrieb:

When the Tomcat server starts, /etc/init.d/tomcat changes the ownership of
all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as the
user running the web server. So the web server has write access to its own
configuration and to all the pages it serves, which is obviously a
potential security hazard. It is also inconvenient, because the local user
who owns the pages can no longer change them without asking a superuser.


I didn't look at the installation yet, but there are some directories that should be writeable to the webserver. "logs", "work" and in some cases "webapps" comes to my mind. There are even reasons for having the config directories writeable by the webserver...

logs is obvious, work is where tomcat stores temporary files, like translated jsp code (if you don't use precompiled webapplications). webapps is where the applications are deployed - though on a production server it is not advisable to auto-deploy applications when *.war files change.

Also, if you use the tomcat admin webapplication, the webserver needs write access to its own configuration: choose your poison. I believe that new autodeployed web applications may place context files under conf/Catalina/localhost (in the standard configuration)...


< Previous Next >