You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2006/11/11 12:16:07 UTC

DO NOT REPLY [Bug 40947] New: - Stopping the server should not rely on passing a string to a port on localhost.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947

           Summary: Stopping the server should not rely on passing a string
                    to a port  on localhost.
           Product: Tomcat 6
           Version: 6.0.0
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: Martijn.Ras@GMail.com


Heya Folks,

The process to stop the server currently passes a string ("SHUTDOWN" by default)
to a port ("8005" by default) on the localhost.

This is a security hole, since anyone with access to the machine can thus
shutdown the server.

Yes, i know it's possible to prevent users access to the machine, change the
port and string, setup firewall rules to prevent access to the port. But that's
all working around the real problem.

We really need a new less insecure way to stop the server.

Mazzel,

Martijn.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 40947] - Stopping the server should not rely on passing a string to a port on localhost.

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947


remm@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From remm@apache.org  2006-12-06 02:21 -------
We will be waiting for your suggestions on dev@tomcat.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 40947] - Stopping the server should not rely on passing a string to a port on localhost.

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947





------- Additional Comments From rm@moosauer.de  2006-12-10 13:59 -------
Hi Shankar,

your comment seems not to clarify anything. Can we agree on this:
1. yes, jsvc is SIGTERM'ed on shutdown
2. But the kill is _always_ clean, because Tomcat is properly shut down via 
the 'Daemon' interface.
3. Of course, jsvc is not available under Windows. There we have PROCRUN,
  which does not use the daemon interface and use a quite different approach,
  which is IMHO less clean.
  (But procrun does a very good job controlling service parameters)
4. Command-line-mode was not the subject here.

More comments?

R.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 40947] - Stopping the server should not rely on passing a string to a port on localhost.

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947





------- Additional Comments From shankarunni@netscape.net  2006-12-14 10:39 -------
The subject was that you felt that using a port and reading a string to shutdown
tomcat was insecure.

My point was that you don't have to rely on that mechanism - there are other
mechanisms already available to you. If you are uncomfortable with the shutdown
port, you can disable it in your installation and use a method you think is more
secure.

In either case, if you want to disable the shutdown port, *and* have Tomcat work
as a "system service" either on Linux/Unix or Windows, some custom work will be
required on your part.

For Linux, you'll have to adjust the startup script to kill tomcat instead of
invoking its "stop" command.

On Windows, there may be an issue because the default service stop/start
defaults to using PROCRUN to invoke the Catalina stop() entry point which simply
sends a string to the shutdown port. Perhaps a custom shutdown script can be
whipped up to send a CTRL-BREAK to the process instead, and have the service
invoke that for stopping the process (this may require some development work).

On second thought, I think this may be a valid enhancement request for the
future - a more reliable semi-secure mechanism so that only the process owner or
the administrator can shut the process down. 

Martin: perhaps you can create a separate enhancement request for this?  But
it's definitely not a very high priority - for most environments, this isn't an
issue, and for the few where it is (shared Linux environments in schools, etc.),
it's possible to hand-tweak the init scripts and server.xml to not use the
shutdown port at all.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 40947] - Stopping the server should not rely on passing a string to a port on localhost.

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947





------- Additional Comments From rm@moosauer.de  2006-12-06 03:44 -------
On Unix, this is already possible using the 'jsvc'-Binary.
AFAIK simply remove the 'shutdown'-element from server.xml

I'm not sure for Windows, the procrun service behaves a little different.
Does anybody know?

R.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 40947] - Stopping the server should not rely on passing a string to a port on localhost.

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947





------- Additional Comments From Martijn.Ras@GMail.com  2006-12-16 01:39 -------
The enhancement request is in bug #41188

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 40947] - Stopping the server should not rely on passing a string to a port on localhost.

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947





------- Additional Comments From remm@apache.org  2006-12-16 02:24 -------
*** Bug 41188 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 40947] - Stopping the server should not rely on passing a string to a port on localhost.

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40947>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40947





------- Additional Comments From shankarunni@netscape.net  2006-12-07 14:13 -------
(In reply to comment #2)
> On Unix, this is already possible using the 'jsvc'-Binary.
> AFAIK simply remove the 'shutdown'-element from server.xml

"jsvc" doesn't do any magic - it just kills the process. You'd prefer to kill
tomcat cleanly (by making it shut down cleanly somehow) - which is why you have
this mechanism to tell it to do so. 

Of course, on non-Windows boxes, Tomcat catches TERM signals and exits cleanly.

And AFAIK, setting the Server's port to "-1" disables the opening of the port,
and then you have to be logged in as the user that Tomcat is running under (or
as root) in order to kill it (by sending it a "TERM" signal).

So that should take care of many of the security concerns on Unix.

On Windows, I'm not sure what signals terminate Tomcat if it's running as a
service - if it's running as a command-line process, then CTRL-BREAK should do it.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org