You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Richard Smith <sp...@hotmail.com> on 2002/08/19 05:11:36 UTC

tomcat/unix security manager questions

Hi All,

Just wondering if you could help me clarify a few questions I have about 
tomcat
and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with 
mod_jk
on solaris with about 300+ users, all of whom can deploy jsp/servlets from 
their public_html directory.

A user requirement is that they must is to be able to read/write files in 
their
home directory. This is what im a little confused about. I understand I can 
put
an entry like:

permission java.io.FilePermission "/home/-", "read,write,delete,execute";"

in catalina.policy, but how does this enable tomcat to write to other user's
home directories (when tomcat is running as a user with minimal privledges)? 
Or
must I change permissions on the file to allow the user that is running 
tomcat
to write to it (is this the normal practice?).

Also, this is probably more a java question, but do standard unix 
permissions
always take precedence over what is set in catalina.policy? (In my 
understanding
the unix permissions take precedence, but I just wanted to make sure(please
excuse my java ignorance))

Any help appreciated,

Cheers,


_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: tomcat/unix security manager questions

Posted by Glenn Nielsen <gl...@mail.more.net>.

Richard Smith wrote:
> 
> Hi All,
> 
> Just wondering if you could help me clarify a few questions I have about 
> tomcat
> and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with 
> mod_jk
> on solaris with about 300+ users, all of whom can deploy jsp/servlets 
> from their public_html directory.
> 

I have never setup Tomcat to do this, but from reading the docs it looks
like Tomcat instantiates a separate web application context for each user.

> A user requirement is that they must is to be able to read/write files 
> in their
> home directory. This is what im a little confused about. I understand I 
> can put
> an entry like:
> 
> permission java.io.FilePermission "/home/-", "read,write,delete,execute";"
> 

I would never grant the "execute" permission, this allows Tomcat to use
Runtime.exec() to execute shell scripts, etc.!

The above permission w/o execute should be fine.

> in catalina.policy, but how does this enable tomcat to write to other 
> user's
> home directories (when tomcat is running as a user with minimal 
> privledges)? Or
> must I change permissions on the file to allow the user that is running 
> tomcat
> to write to it (is this the normal practice?).
> 

Yes, if you want to allow the user web applications to write and delete
files in their own home directory Tomcat would need r/w file permissions.

This can be done by adding the tomcat user "tomcat" to the group(s) which
your users are members of.  Then setup permissions on the public_html
directory of mode 2775.

> Also, this is probably more a java question, but do standard unix 
> permissions
> always take precedence over what is set in catalina.policy? (In my 
> understanding
> the unix permissions take precedence, but I just wanted to make sure(please
> excuse my java ignorance))
> 

Yes, unix file/dir ownership and permissions take precedence.

> Any help appreciated,
> 
> Cheers,
> 

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>