You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/08/14 16:12:28 UTC

DO NOT REPLY [Bug 22405] - warn if not deploy with umask "0077" or if deployed as "root" and provide tutorial URL "Secure deployment"

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22405>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22405

warn if not deploy with umask "0077" or if deployed as "root" and provide tutorial URL "Secure deployment"

hauser@acm.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netshark@sharkplanet.com
            Summary|deploy as 700 and additional|warn if not deploy with
                   |attribute to be less        |umask "0077" or if deployed
                   |restrictive                 |as "root" and provide
                   |                            |tutorial URL "Secure
                   |                            |deployment"



------- Additional Comments From hauser@acm.org  2003-08-14 14:12 -------
Ok, I might have misunderstood somebody such that I thought that tomcat only
runs under root which it obviously does not (I tested it now; and yes, even
before this post, I did use sudo).

In order to avoid novices like myself falling into these traps, I suggest the
following 3 enhancements:
1) warn if tomcat sees itself running as "root" and print a tutorial URL into
   catalina.out
2) warn if tomcat sees its umask as being other than ***7 (i.e. if its output
   is world-readable) and print the same tutorial URL
3) create the tutorial page how to deploy securely (I am happy to be the first
   tester/contributor there!)

Re: how to set owners/permissions from inside Java
  --> a quick google search yielded the following (untested) results
http://www.aoindustries.com/docs/aocode-public/com/aoindustries/io/unix/UnixFile.html
http://www.xenonsoft.demon.co.uk/products/javaunix/docs/api/javaunix/io/UnixFile.html

Former "Summary: deploy as 700 and additional attribute to be less restrictive"

Further safeguard ideas to achieve secure deployment out of the Java-oriented
world (tomcat/ant) are described in
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22370 and
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22417 .

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org