You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by logo <lo...@kreuser.name> on 2020/05/13 06:48:05 UTC
[OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Hi calder,
> Am 13.05.2020 um 04:59 schrieb calder <ca...@gmail.com>:
>
> On Tue, May 12, 2020, 21:48 kohmoto <ko...@iris.eonet.ne.jp> wrote:
>
>> Hi, Calder,
>>
>> Thank you for your prompt reply.
>> I think Tomcat binary files all have root priviledges.
>> Should these priviledges should be changed to user priviledges?
>>
>
>
> Yes.
I would suggest to leave the binaries and maybe even config files to root or any other admin. So a hacked tomcat process under tomcat user will not be able to exchange config or even binaries.
That will only work if the config will not be changed via host-manager or programmatically.
In the past we even held the installed webapps under a different user. but that maybe difficult in automated deployments.
My 2cts.
Peter
>
> There is a "Tomcat Security" guide at the Tomcat website. Also, Mulesoft
> has a good guide
> https://www.mulesoft.com/tcat/tomcat-security
>
>
> Your truly,
>> Kazuhiko Kohmoto
>>
>> On 2020/05/13 11:17, calder wrote:
>>> If TC, running as root, is ever compromised, the compromising user
>>> (attacker) can gain access to the whole of the system. The attacker
>> could
>>> execute any arbitrary command available on the system. They could remove
>>> files, or install malicious software.
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Posted by logo <lo...@kreuser.name>.
Chris,
> Am 13.05.2020 um 16:42 schrieb Christopher Schultz <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 5/13/20 02:48, logo wrote:
>> Hi calder,
>>
>>
>>> Am 13.05.2020 um 04:59 schrieb calder <ca...@gmail.com>:
>>>
>>> On Tue, May 12, 2020, 21:48 kohmoto <ko...@iris.eonet.ne.jp>
>>> wrote:
>>>
>>>> Hi, Calder,
>>>>
>>>> Thank you for your prompt reply. I think Tomcat binary files
>>>> all have root priviledges. Should these priviledges should be
>>>> changed to user priviledges?
>>>>
>>>
>>>
>>> Yes.
>>
>> I would suggest to leave the binaries and maybe even config files
>> to root or any other admin. So a hacked tomcat process under tomcat
>> user will not be able to exchange config or even binaries.
> Yes! There really is no need for Tomcat to modify its own config files
> or binaries.
>
>> That will only work if the config will not be changed via
>> host-manager or programmatically.
>
> This shouldn't be too much of a problem. Not many people use the
> host-manager.
>
>> In the past we even held the installed webapps under a different
>> user. but that maybe difficult in automated deployments.
>
> This is less important IMO. The owner of the files can be anybody...
> just not the Tomcat user.
>
> And, before anybody says "but.. but... Docker!" you should remember
> that root in a Docker container often ends up having many more
> privileges outside the container than you think it does/should.
>
Never ignore this!
As simple as adding the following to your Dockerfile
########
RUN set -x \
&& groupadd tomcat \
&& useradd -g tomcat -s /usr/bin/nologin -m -d /home/tomcat tomcat \
&& chown -R tomcat:tomcat $CATALINA_HOME/logs $CATALINA_HOME/work $CATALINA_HOME/temp
# add $CATALINA_HOME/webapps if you use the manager-app
USER tomcat
########
before running the ENTRYPOINT or CMD.
BTW: that is something that is really missing in the „Official“ Tomcat Docker images. (I know they are not maintained by ASF)
Peter
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8
> pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar
> EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4
> LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps
> C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG
> k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch
> ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r
> cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO
> DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj
> PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa
> 5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG
> q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc=
> =V1n4
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 5/13/20 02:48, logo wrote:
> Hi calder,
>
>
>> Am 13.05.2020 um 04:59 schrieb calder <ca...@gmail.com>:
>>
>> On Tue, May 12, 2020, 21:48 kohmoto <ko...@iris.eonet.ne.jp>
>> wrote:
>>
>>> Hi, Calder,
>>>
>>> Thank you for your prompt reply. I think Tomcat binary files
>>> all have root priviledges. Should these priviledges should be
>>> changed to user priviledges?
>>>
>>
>>
>> Yes.
>
> I would suggest to leave the binaries and maybe even config files
> to root or any other admin. So a hacked tomcat process under tomcat
> user will not be able to exchange config or even binaries.
Yes! There really is no need for Tomcat to modify its own config files
or binaries.
> That will only work if the config will not be changed via
> host-manager or programmatically.
This shouldn't be too much of a problem. Not many people use the
host-manager.
> In the past we even held the installed webapps under a different
> user. but that maybe difficult in automated deployments.
This is less important IMO. The owner of the files can be anybody...
just not the Tomcat user.
And, before anybody says "but.. but... Docker!" you should remember
that root in a Docker container often ends up having many more
privileges outside the container than you think it does/should.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8
pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar
EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4
LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps
C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG
k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch
ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r
cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO
DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj
PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa
5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG
q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc=
=V1n4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Posted by kohmoto <ko...@iris.eonet.ne.jp>.
Hi, Logo,
My current practice is as you suggest.
Thank you for your advice.
Yours truly,
Kazuhiko Kohmoto
On 2020/05/13 15:48, logo wrote:
> Hi calder,
>
>
>> Am 13.05.2020 um 04:59 schrieb calder <ca...@gmail.com>:
>>
>> On Tue, May 12, 2020, 21:48 kohmoto <ko...@iris.eonet.ne.jp> wrote:
>>
>>> Hi, Calder,
>>>
>>> Thank you for your prompt reply.
>>> I think Tomcat binary files all have root priviledges.
>>> Should these priviledges should be changed to user priviledges?
>>>
>>
>> Yes.
> I would suggest to leave the binaries and maybe even config files to root or any other admin. So a hacked tomcat process under tomcat user will not be able to exchange config or even binaries.
> That will only work if the config will not be changed via host-manager or programmatically.
>
> In the past we even held the installed webapps under a different user. but that maybe difficult in automated deployments.
>
> My 2cts.
>
> Peter
>
>> There is a "Tomcat Security" guide at the Tomcat website. Also, Mulesoft
>> has a good guide
>> https://www.mulesoft.com/tcat/tomcat-security
>>
>>
>> Your truly,
>>> Kazuhiko Kohmoto
>>>
>>> On 2020/05/13 11:17, calder wrote:
>>>> If TC, running as root, is ever compromised, the compromising user
>>>> (attacker) can gain access to the whole of the system. The attacker
>>> could
>>>> execute any arbitrary command available on the system. They could remove
>>>> files, or install malicious software.
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org