Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Ownership of Tomcat files
  • From: g.lams@xxxxxxxxxx
  • Date: Tue, 15 Mar 2005 17:21:52 +0100
  • Message-id: <OF37757C10.B29C552C-ONC1256FC5.0058CCE2-C1256FC5.0059E44E@xxxxxxxxxx>
Bob Vickers <bobv@xxxxxxxxxxxxx> wrote on 15/03/2005 17.06.23:
>
> When the Tomcat server starts, /etc/init.d/tomcat changes the ownership
of
> all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as
the
> user running the web server. So the web server has write access to its
own
> configuration and to all the pages it serves, which is obviously a
> potential security hazard. It is also inconvenient, because the local
user
> who owns the pages can no longer change them without asking a superuser.
>
I don't use the Tomcat rpm, but I've a 2 servers with apache as a
front-end to Tomcat, so apache is running with wwwrun amd tomcat is
running with the tomcat user started with "su - tomcat".
The permissions of the tomcat folder are set to tomcat.tomcat, before
starting, no need of root as tomcat runs on port 8080



< Previous Next >
References