You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Richard Smith <sp...@hotmail.com> on 2002/08/19 05:11:36 UTC
tomcat/unix security manager questions
Hi All,
Just wondering if you could help me clarify a few questions I have about
tomcat
and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with
mod_jk
on solaris with about 300+ users, all of whom can deploy jsp/servlets from
their public_html directory.
A user requirement is that they must is to be able to read/write files in
their
home directory. This is what im a little confused about. I understand I can
put
an entry like:
permission java.io.FilePermission "/home/-", "read,write,delete,execute";"
in catalina.policy, but how does this enable tomcat to write to other user's
home directories (when tomcat is running as a user with minimal privledges)?
Or
must I change permissions on the file to allow the user that is running
tomcat
to write to it (is this the normal practice?).
Also, this is probably more a java question, but do standard unix
permissions
always take precedence over what is set in catalina.policy? (In my
understanding
the unix permissions take precedence, but I just wanted to make sure(please
excuse my java ignorance))
Any help appreciated,
Cheers,
_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: tomcat/unix security manager questions
Posted by Glenn Nielsen <gl...@mail.more.net>.
Richard Smith wrote:
>
> Hi All,
>
> Just wondering if you could help me clarify a few questions I have about
> tomcat
> and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with
> mod_jk
> on solaris with about 300+ users, all of whom can deploy jsp/servlets
> from their public_html directory.
>
I have never setup Tomcat to do this, but from reading the docs it looks
like Tomcat instantiates a separate web application context for each user.
> A user requirement is that they must is to be able to read/write files
> in their
> home directory. This is what im a little confused about. I understand I
> can put
> an entry like:
>
> permission java.io.FilePermission "/home/-", "read,write,delete,execute";"
>
I would never grant the "execute" permission, this allows Tomcat to use
Runtime.exec() to execute shell scripts, etc.!
The above permission w/o execute should be fine.
> in catalina.policy, but how does this enable tomcat to write to other
> user's
> home directories (when tomcat is running as a user with minimal
> privledges)? Or
> must I change permissions on the file to allow the user that is running
> tomcat
> to write to it (is this the normal practice?).
>
Yes, if you want to allow the user web applications to write and delete
files in their own home directory Tomcat would need r/w file permissions.
This can be done by adding the tomcat user "tomcat" to the group(s) which
your users are members of. Then setup permissions on the public_html
directory of mode 2775.
> Also, this is probably more a java question, but do standard unix
> permissions
> always take precedence over what is set in catalina.policy? (In my
> understanding
> the unix permissions take precedence, but I just wanted to make sure(please
> excuse my java ignorance))
>
Yes, unix file/dir ownership and permissions take precedence.
> Any help appreciated,
>
> Cheers,
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>