Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Ownership of Tomcat files
The files should be owned by wwwrun:root for tomcat
----- Original Message ----- From: "Bob Vickers" <bobv@xxxxxxxxxxxxx>
To: "SUSE Security List" <suse-security@xxxxxxxx>
Sent: Tuesday, March 15, 2005 10:06 AM
Subject: [suse-security] Ownership of Tomcat files

I have been asked to set up a Tomcat server, and am just grappling with
the extensive documentation. It isn't a production site, just a
demonstration site for students to play with, but I'm very puzzled by the
file ownerships which SuSE set up as they seem to break security
principles as well as being inconvenient.

When the Tomcat server starts, /etc/init.d/tomcat changes the ownership of
all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as the
user running the web server. So the web server has write access to its own
configuration and to all the pages it serves, which is obviously a
potential security hazard. It is also inconvenient, because the local user
who owns the pages can no longer change them without asking a superuser.

I am using SuSE 9.1 by the way, but it looks very similar on 9.2.

Is there a good reason for it being done like this? Forgive me if I have
missed something; I know nothing at all about servlets and am just trying
to get the server going without expending too much effort.

Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 3/11/2005

< Previous Next >