You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by GOMEZ Henri <hg...@slib.fr> on 2002/02/05 09:31:07 UTC
Security in Tomcat Webapps - WAS: Tomcat 4 / mod_webapp RPMs available...
I send a copy to tomcat-dev since it's an important issue
>Thanks for getting back to me so quickly. The distributions you have
>provided via jakarta have been very beneficial to us and our
>project. We
>are grateful so much work has gone into building RPM's.
Thanks ;)
>> Warning, the RPM goal is to enable people use differents versions,
>> ie Tomcat 3.3 and Tomcat 4, which are not exclusive and could be
>> used at the same time. So you need in that case 2 differents home
>> /var/tomcat3 and /var/tomcat4.
>>
>
>
>> But many users asked me to have TC 3.3 and 4.0 at the same
>time on their
>> boxes to tests applications migration from Servlet 2.2/1.1 to 2.3/1.2
>>
>>
>
>I can see the benefit in this. It's understandable that both platforms
>should be capable of running on the same machine. I think you are
>correct. I will rebuild our with this put back to tomcat4.
Seems fine to help people determine also which Tomcat they want to use,
it's important for sites which use mod_jk for example which was only
available in TC 3.2/3.3. Also many sites (yes yes) still didn't upgraded
to JDK 1.2, which is mandatory for TC 4.0
>>>We modified the Permissions on the webapps directory to give
>>>tomcat group
>>>users rights to edit files in it, where the
>>>/etc/rc.d/init.d/tomcat script
>>>didn't provide theses permissions previously.
>>>
>>
>> It's bad for security, tomcat shouldn't be allowed to
>> be able to write these files, only logs and works dirs....
>>
>
>
>Hmm, but your chowning to TOMCAT_USER in your init file does
>just that.
>The tomcat4 user/group now has full access to the webapps directory
>
>Your code:
>
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/logs
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/work
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/webapps/*
>
>turns
>
>-rwxrwxrwx 1 jcool jcool 6871 Jan 29 15:10 index.html
>
>into
>
>-rwxrwxrwx 1 tomcat tomcat 6871 Jan 29 15:10 index.html
And that's bad since index.html should be instead 644 for root:root.
Nota that webapps directory should be writeable by tomcat since
the webapps are decompressed from wxxx.war to wxxx/ in webapps dir.
>If a developer places a file in webapps with world read write
>permissions then anyone can edit it and tomcat chowns it and
>leaves this
>permission intact. This means that no security measures are taken to
>stop the the tomcat4 group or even the world from really having write
>access to these files. In fact chowning the webapps directory gives
>tomcat full access to it.
Yes but it shouldn't be writeable, that's a serious security problem.
For example the Apache HTTP server run as nobody or apache user but
all files in htdocs should be writeable only by root.
>This is a struggle for us, since the tomcat4 user takes over full user
>and group ownership of the webapps directory (without any chmod on the
>files within), servlet/jsp developers are then possibly locked out of
>having permissions on the files they had originally placed in the
>webapps directory. By adding the tomcat4 group to these users and
>rewriting tomcat4 rights to write these files we resolved this issue.
>
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/logs
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/work
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/webapps
> chmod -R ug+rwx @@@TCHOME@@@/webapps
> chmod -R o+xr-w @@@TCHOME@@@/webapps
>
>turns
>
>-rwxrwxrwx 1 jcool jcool 6871 Jan 29 15:10 index.html
>
>into
>
>-rwxrwxr-x 1 tomcat tomcat 6871 Jan 29 15:10 index.html
In fact the script should be more sofisticated and remove at least
the execute attribute of final files. I'll take a look at it ASAP.
# give access to log subdirs (may be just to tomcat user => chmod 700)
find @@@TCHOME@@@/logs -type d -exec chmod 755 \{\} \;
# only user have write access, all exec removed
find @@@TCHOME@@@/logs -type f -exec chmod 644 \{\} \;
# all files owned by tomcat
find @@@TCHOME@@@/logs -type f -exec chown $TOMCAT_USER:$TOMCAT_USER \{\} \;
# give access to works subdirs (may be just to tomcat user => chmod 700)
find @@@TCHOME@@@/works -type d -exec chmod 755 \{\} \;
# only user have write access, all exec removed
find @@@TCHOME@@@/works -type f -exec chmod 644 \{\} \;
# all files owned by tomcat
find @@@TCHOME@@@/works -type f -exec chown $TOMCAT_USER:$TOMCAT_USER \{\} \;
# give access to webapps subdirs (may be just to tomcat user => chmod 700)
find @@@TCHOME@@@/webapps -type d -exec chmod 755 \{\} \;
# only tomcat have write access, all exec removed
find @@@TCHOME@@@/webapps -type f -exec chmod 644 \{\} \;
# all files owned by tomcat
find @@@TCHOME@@@/webapps -type f -exec chown $TOMCAT_USER:$TOMCAT_USER \{\} \;
I feel you use samba to make webapps dirs writeable to Windows developpers ?
>If this is a real problem security-wise. Why does the tomcat4
>user have
>to own the files in the webapps directory to properly execute them? It
>seems that tomcat4 would only require read access.
Exact
>Perhaps a better approach would be to not to chown the webapps
>directory
>to tomcat4 but to make sure that tomcat4 only has read permissions on
>the directory (recursively) and leave the permissions for the
>developer
>users in place.
Yes, but take a look at webapp war expanding !
>only turn
>
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/logs
> chown -R $TOMCAT_USER:$TOMCAT_USER @@@TCHOME@@@/work
> chmod -R o+xr-w @@@TCHOME@@@/webapp
> chmod -R g+xr @@@TCHOME@@@/webapp
>
>-rwxrwxrwx 1 jcool jcool 6871 Jan 29 15:10 index.html
>
>into
>
>-rwxrwxr-x 1 jcool jcool 6871 Jan 29 15:10 index.html
>
>Is there any reason that tomcat needs write permissions on
>this directory?
webapp autoexpand again ;(
>> You make many usefull modifications, I'd like to put back
>> in the original RPM, but I won't touch the home location or
>> include a potential security with webapps directory.
>>
>
>
>
>Great, I can wrap a src rpm for tomcat4 that has only the changes you
>want. We can deal with having tomcat 4.0 in its own directory. Please
>let me know what you think about the permissions issue.
Just send me the .spec for tomcat4 and mod_webapp, including the
tomcat wrappers.
Remember files should be 644 root:root only in production servers,
I do that using a little shell script :
#!/bin/sh
#
# @(#)cleanwebapp 1.00 2000/09/05
#
# Author : Henri Gomez <hg...@slib.fr>
#
# Purpose : Cleanup rights for a webapp directory
#
#
if [ $# = 0 ]; then
echo "Usage: $0 webappdir"
exit
fi;
chown -R root $1
chgrp -R root $1
find $1 -type d -exec chmod 755 \{\} \;
find $1 -type f -exec chmod 644 \{\} \;
Which make me think that we could have a major security
problems in Tomcat 3.3/4.0 when auto-expand is activated
and which make that Tomcat should have write access to
the webapps files. You could play with java.security controls
but it's still better to lock also at system level.
Question:
How could we fix it ?
May we imagine that after expanding a webapp Tomcat send a message to system
to ask it to set the files and dirs owner to root:root in 644 mode (or similar
in Windows world) ?
May be by creating a file in WEB-INF which could monitored by a cron task
running as root which could apply that restriction ?
What about possible call to system API to have such a monitoring task
included in Tomcat and running as root, while the rest of Tomcat will
run as a nobody user, as does Apache HTTP ?
Did the currents JVMs are able to have one thread as root and others
as nobody user for example ?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security in Tomcat Webapps - WAS: Tomcat 4 / mod_webapp RPMs
available...
Posted by "Mark R. Diggory" <md...@latte.harvard.edu>.
Heres a copy of the SPEC for mod_webapp.
I'll pull together the other SPEC and init files for tomcat4 in the
future.
-thanks,
Mark Diggory