Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Ownership of Tomcat files
  • From: Bob Vickers <bobv@xxxxxxxxxxxxx>
  • Date: Tue, 15 Mar 2005 16:06:23 +0000 (GMT)
  • Message-id: <Pine.OSF.4.58.0503151605450.22814@xxxxxxxxxxxxxxxxxxxx>
I have been asked to set up a Tomcat server, and am just grappling with
the extensive documentation. It isn't a production site, just a
demonstration site for students to play with, but I'm very puzzled by the
file ownerships which SuSE set up as they seem to break security
principles as well as being inconvenient.

When the Tomcat server starts, /etc/init.d/tomcat changes the ownership of
all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as the
user running the web server. So the web server has write access to its own
configuration and to all the pages it serves, which is obviously a
potential security hazard. It is also inconvenient, because the local user
who owns the pages can no longer change them without asking a superuser.

I am using SuSE 9.1 by the way, but it looks very similar on 9.2.

Is there a good reason for it being done like this? Forgive me if I have
missed something; I know nothing at all about servlets and am just trying
to get the server going without expending too much effort.

Regards,
Bob
==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London



< Previous Next >