RE: running tomcat with root user.....umask in jsvc?

["epicwinter@hotmail.com" <ep...@hotmail.com>]

You are correct, I found a setting that relaxes the group access permissions on the jailkit.  

Now I just have one more problem.  When tomcat creates files in these user directories I need the permissions to be set appropriately.  What is the best way to set the umask value when running tomcat using jsvc?

> Date: Sun, 1 Feb 2009 21:58:11 -0800
> From: rusty.wright@gmail.com
> To: users@tomcat.apache.org
> Subject: Re: running tomcat with root user
> 
> Are you sure about the group write permissions?  I glanced at the jailkit web page and it looks like it's sugar coating and chrome around a chroot.  So I would think that using unix groups would work.  And on the flip side, if unix groups don't work, it seems to me that ACLs wouldn't either.
> 
> 
> epicwinter@hotmail.com wrote:
> > I have the latest tomcat 6 installed under centos 5.2.  The problem I am having is that it appears that I have to run tomcat as root user, because the spring app that tomcat starts needs to write files to other users' home directories.  The tomcat user doesn't have access to these directories.
> > 
> > I tried making these users part of a shared group, but to complicate the problem the users are jailed using jailkit.  So it doesn't appear that jailkit lets me add group write privileges to the home directories and maintain a working jail.
> > 
> > Can anyone suggest another alternative?  I am not linux user expert so maybe there is an obvious solution i am missing?
> > thanks
> > 
> > 
> > 
> > 
> > _________________________________________________________________
> > Windows Live™ Hotmail®…more than just e-mail. 
> > http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Windows Live™ Hotmail®…more than just e-mail. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009

RE: running tomcat with root user.....umask in jsvc?

["epicwinter@hotmail.com" <ep...@hotmail.com>]

> Date: Tue, 3 Feb 2009 00:10:30 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: running tomcat with root user.....umask in jsvc?
> 
> epicwinter@hotmail.com wrote:
> [...]
> I'm not a great security specialist, but your setup looks indeed safe 
> enough, if the users are chrooted to their home directories.
> I can't imagine how they could break out and access things they shouldn't.
> 
> Just one more question : how do you arrange to know who is uploading a 
> file, and thus where to put it ?

Well each customer gets assigned it's own jailed user.  The uploading facility is completely underneath a swing gui so all the customer knows is that the upload button works.  When the customer logs in to their swing client they load some settings requested from the server, one of these settings happens to be their sftp login for the server and the other is the upload directory.  So the server holds all this info in config files and the ysers don't even ever know what their login is.  

> 
> 
> 
> As a footnote : having a basic problem similar to yours (under Apache, 
> not Tomcat), I ended up with a solution like this, implemented with 
> Apache and mod_perl, but which should be also transposable to Tomcat 
> with servlet filters and such :
> 
> To allow users to upload their files, I implemented the standard DAV 
> module in Apache (which also exists in Tomcat). This way, they can do 
> drag-and-drop directly from within their Windows Explorer, to one 
> directory structure on the server. And, I did not have to re-invent the 
> wheel for uploading files.
> 
> But that did not at first allow me to know who was uploading the file, 
> and what to do with it.
> To know who was doing it, I thus added an HTTP authentication.
> But still, DAV doesn't care, and uploads all the files under the user 
> Apache (Tomcat) runs under.
> 
> So I added a couple of filters, one in front and one behind DAV. The 
> front-end filter takes note of who this is (from the Apache 
> authentication), and where the user thinks he is uploading the file to 
> (from the URL), then changes the "PUT" URL sneakily (a la mod_rewrite), 
> so that DAV now uploads the file in fact somewhere completely different, 
> outside of the directories where the user thinks he is uploading.
> 
> Then right after DAV, another filter picks up the uploaded file from the 
> known place where DAV put it, and moves it to the real destination and 
> with the correct ownership and permissions (which it gets from where the 
> first filter saved them).
> 
> It is a bit like another solution suggested earlier based on a separate 
> daemon, only here everything happens in real-time.
> 
> I am sure this could be done in Tomcat with a servlet filter around the 
> DAV webapp.
> 
I haven't done much with those filters, but i like the idea of using the filters for something like this, it is nice that it is at least somewhat external to core code.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Windows Live™ Hotmail®:…more than just e-mail. 
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_explore_012009

Re: running tomcat with root user.....umask in jsvc?

[André Warnier <aw...@ice-sa.com>]

epicwinter@hotmail.com wrote:
[...]
I'm not a great security specialist, but your setup looks indeed safe 
enough, if the users are chrooted to their home directories.
I can't imagine how they could break out and access things they shouldn't.

Just one more question : how do you arrange to know who is uploading a 
file, and thus where to put it ?



As a footnote : having a basic problem similar to yours (under Apache, 
not Tomcat), I ended up with a solution like this, implemented with 
Apache and mod_perl, but which should be also transposable to Tomcat 
with servlet filters and such :

To allow users to upload their files, I implemented the standard DAV 
module in Apache (which also exists in Tomcat). This way, they can do 
drag-and-drop directly from within their Windows Explorer, to one 
directory structure on the server. And, I did not have to re-invent the 
wheel for uploading files.

But that did not at first allow me to know who was uploading the file, 
and what to do with it.
To know who was doing it, I thus added an HTTP authentication.
But still, DAV doesn't care, and uploads all the files under the user 
Apache (Tomcat) runs under.

So I added a couple of filters, one in front and one behind DAV. The 
front-end filter takes note of who this is (from the Apache 
authentication), and where the user thinks he is uploading the file to 
(from the URL), then changes the "PUT" URL sneakily (a la mod_rewrite), 
so that DAV now uploads the file in fact somewhere completely different, 
outside of the directories where the user thinks he is uploading.

Then right after DAV, another filter picks up the uploaded file from the 
known place where DAV put it, and moves it to the real destination and 
with the correct ownership and permissions (which it gets from where the 
first filter saved them).

It is a bit like another solution suggested earlier based on a separate 
daemon, only here everything happens in real-time.

I am sure this could be done in Tomcat with a servlet filter around the 
DAV webapp.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: running tomcat with root user.....umask in jsvc?

[Rusty Wright <ru...@gmail.com>]

If you have control of the mode of the directory where the files are placed you may find the sticky bit helpful for propagating stuff down the treee:

  http://www.dartmouth.edu/~rc/help/faq/permissions.html


epicwinter@hotmail.com wrote:
> 
> 
>> Date: Mon, 2 Feb 2009 22:00:24 +0100
>> From: aw@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: running tomcat with root user.....umask in jsvc?
>>
>> epicwinter@hotmail.com wrote:
>>> That is a possible solution.  There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users.  So I am trying to avoid the operating system chmod commands in my code.  
>> I don't really like that either, and it does break if you ever (yuk) 
>> would decide to run your code on some other platform.
>>
>>> If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.
>> As far as I can tell, it would only change the umask for the current 
>> process (the shell executing your startup script) and all its offsprings 
>> (jsvc, tomcat).  But it will do it for *everything* that these processes 
>> do (such as creating temporary files, logfiles, etc..).  That may indeed 
>> not be very secure. For instance, one thing which Tomcat to my knowledge 
>> does (if you have not disabled it) is to rewrite the "conf/users.xml" 
>> file each time it starts up (or stops ?).  That particular file is not 
>> essential, and maybe Tomcat does not do that anymore in recent versions, 
>> but there might be other such things lurking around unexpectedly.
>>
> That was my concern, I think it is a very mild security concern but still an issue nonetheless.  Since the tomcat user doesn't have shell access or root access I can't see it being a big issue, it would be nice if you could set the umask for just the class loader or running java process.
> 
>> I'm still a bit curious about how you did organise the upload 
>> directories and their rights and groups etc.. finally, because you want 
>> this one Tomcat user to be able to write into upload directories owned 
>> originally by other users, right ? Or at least, you want these other 
>> users afterward to have access to these files somehow.
>> So you must have established some common group or groups between the 
>> Tomcat user, and these other users, right ?
>> I am just wondering if by doing this, you have not "weakened" the 
>> general protection of all that stuff.
>>
> You got it.  Here is how i have it set up  let me know what you think:
> I created a shared group :
> groupadd sharedgroup
> Then i changed it so all my users were members of this group:
> usermod -g sharedgroup tomcat
> usermod -g sharedgroup jaileduser1
> 
> usermod -g sharedgroup jaileduser2 ...etc
> 
> Then I found some settings in the jailkit ( http://olivier.sessink.nl/jailkit/ ) that allow for the jailed users to have group read/write permissions:
> in /etc/jailkist/jk_chrootsh.ini
> relax_home_group=1
> relax_home_group_permissions=1
> relax_home_other_permissions=1
> 
> Then in the jail jk_lsh.ini i set up the umask for the shared group:
> 
> [group sharedgroup]
> paths= /usr/bin, /usr/lib/
> executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
> umask= 002
> 
> Finally I added the umask 002 line to my tomcat startup script
> 
> The external jailed users only have sftp access and aren't able to move outside their home directories.  Since the jailed user shares a group with tomcat they can all incestially read and write files to these home directories and since the umask is set the permissions are retained as new directories are created and so forth.
> 
> What do you think?
>  
>> I had a quite similar case to resolve not so long ago (with Apache, not 
>> Tomcat), and only ended up with ACLs after being forced to use them, 
>> because no other solution would really provide the security I wanted.
>>
> Yeah the ACLs look very effective but like yourself i am trying to avoid extra complications
> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> _________________________________________________________________
> Windows Live™ Hotmail®…more than just e-mail. 
> http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: running tomcat with root user.....umask in jsvc?

["epicwinter@hotmail.com" <ep...@hotmail.com>]

> Date: Mon, 2 Feb 2009 22:00:24 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: running tomcat with root user.....umask in jsvc?
> 
> epicwinter@hotmail.com wrote:
> > That is a possible solution.  There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users.  So I am trying to avoid the operating system chmod commands in my code.  
> I don't really like that either, and it does break if you ever (yuk) 
> would decide to run your code on some other platform.
> 
> > If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.
> As far as I can tell, it would only change the umask for the current 
> process (the shell executing your startup script) and all its offsprings 
> (jsvc, tomcat).  But it will do it for *everything* that these processes 
> do (such as creating temporary files, logfiles, etc..).  That may indeed 
> not be very secure. For instance, one thing which Tomcat to my knowledge 
> does (if you have not disabled it) is to rewrite the "conf/users.xml" 
> file each time it starts up (or stops ?).  That particular file is not 
> essential, and maybe Tomcat does not do that anymore in recent versions, 
> but there might be other such things lurking around unexpectedly.
>
That was my concern, I think it is a very mild security concern but still an issue nonetheless.  Since the tomcat user doesn't have shell access or root access I can't see it being a big issue, it would be nice if you could set the umask for just the class loader or running java process.

> 
> I'm still a bit curious about how you did organise the upload 
> directories and their rights and groups etc.. finally, because you want 
> this one Tomcat user to be able to write into upload directories owned 
> originally by other users, right ? Or at least, you want these other 
> users afterward to have access to these files somehow.
> So you must have established some common group or groups between the 
> Tomcat user, and these other users, right ?
> I am just wondering if by doing this, you have not "weakened" the 
> general protection of all that stuff.
>
You got it.  Here is how i have it set up  let me know what you think:
I created a shared group :
groupadd sharedgroup
Then i changed it so all my users were members of this group:
usermod -g sharedgroup tomcat
usermod -g sharedgroup jaileduser1

usermod -g sharedgroup jaileduser2 ...etc

Then I found some settings in the jailkit ( http://olivier.sessink.nl/jailkit/ ) that allow for the jailed users to have group read/write permissions:
in /etc/jailkist/jk_chrootsh.ini
relax_home_group=1
relax_home_group_permissions=1
relax_home_other_permissions=1

Then in the jail jk_lsh.ini i set up the umask for the shared group:

[group sharedgroup]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
umask= 002

Finally I added the umask 002 line to my tomcat startup script

The external jailed users only have sftp access and aren't able to move outside their home directories.  Since the jailed user shares a group with tomcat they can all incestially read and write files to these home directories and since the umask is set the permissions are retained as new directories are created and so forth.

What do you think?
 
> I had a quite similar case to resolve not so long ago (with Apache, not 
> Tomcat), and only ended up with ACLs after being forced to use them, 
> because no other solution would really provide the security I wanted.
> 
Yeah the ACLs look very effective but like yourself i am trying to avoid extra complications

> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Windows Live™ Hotmail®…more than just e-mail. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009

Re: running tomcat with root user.....umask in jsvc?

[André Warnier <aw...@ice-sa.com>]

epicwinter@hotmail.com wrote:
> That is a possible solution.  There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users.  So I am trying to avoid the operating system chmod commands in my code.  
I don't really like that either, and it does break if you ever (yuk) 
would decide to run your code on some other platform.

> If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.
As far as I can tell, it would only change the umask for the current 
process (the shell executing your startup script) and all its offsprings 
(jsvc, tomcat).  But it will do it for *everything* that these processes 
do (such as creating temporary files, logfiles, etc..).  That may indeed 
not be very secure. For instance, one thing which Tomcat to my knowledge 
does (if you have not disabled it) is to rewrite the "conf/users.xml" 
file each time it starts up (or stops ?).  That particular file is not 
essential, and maybe Tomcat does not do that anymore in recent versions, 
but there might be other such things lurking around unexpectedly.

I'm still a bit curious about how you did organise the upload 
directories and their rights and groups etc.. finally, because you want 
this one Tomcat user to be able to write into upload directories owned 
originally by other users, right ? Or at least, you want these other 
users afterward to have access to these files somehow.
So you must have established some common group or groups between the 
Tomcat user, and these other users, right ?
I am just wondering if by doing this, you have not "weakened" the 
general protection of all that stuff.

I had a quite similar case to resolve not so long ago (with Apache, not 
Tomcat), and only ended up with ACLs after being forced to use them, 
because no other solution would really provide the security I wanted.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: running tomcat with root user.....umask in jsvc?

["epicwinter@hotmail.com" <ep...@hotmail.com>]

That is a possible solution.  There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users.  So I am trying to avoid the operating system chmod commands in my code.  
If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.


> Date: Mon, 2 Feb 2009 21:05:15 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: running tomcat with root user.....umask in jsvc?
> 
> André Warnier wrote:
> > epicwinter@hotmail.com wrote:
> >> You are correct, I found a setting that relaxes the group access 
> >> permissions on the jailkit. 
> >> Now I just have one more problem.  When tomcat creates files in these 
> >> user directories I need the permissions to be set appropriately.  What 
> >> is the best way to set the umask value when running tomcat using jsvc?
> >>
> > That's a good question.
> > I don't think jsvc would take any account of the Tomcat user's .profile 
> > file.
> > ACLs would allow you to do that however :-)
> > (Seriously, I believe you can set an ACL on the target directory that 
> > would make it so that when this particular user (Tomcat) creates a file 
> > there, it has by default a given set of permissions).
> > Otherwise, you might have to do some kind of chmod from within your 
> > webapp itself, after it creates the file. I don't know what Java method 
> > that would be.
> > 
> Replying to myself : upon further reflection, I am not even sure that 
> Java would have a method to do this, since it is supposed to be 
> platform-independent, and setting filesystem permissions and group 
> ownership is rather on the platform-dependent side.
> How often do such upload requests come in ? I'm thinking that if this is 
> a single-platform solution, and file uploads don't come up tens per 
> second at a time, it may be possible (though I also don't know how) to 
> simply execute an OS-level command (chmod 0xxx filename; chgroup xxxxx 
> filename) from within a Tomcat webapp, or a servlet filter that would 
> run after the webapp.
> 
> Otherwise, ACLs are complicated in terms of understanding the 
> documentation of setfacl; but once you have it down, it is after all 
> only a matter of running a single setfacl command once on each of your 
> target directories. And it has the advantage of being done totally 
> outside of your webapp, once and for all. It "sticks" to the directory, 
> not to your code.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Windows Live™ Hotmail®:…more than just e-mail. 
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_explore_012009

Re: running tomcat with root user.....umask in jsvc?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

I know I'm a bit late, but...

André Warnier wrote:
> André Warnier wrote:
>> epicwinter@hotmail.com wrote:
>>> You are correct, I found a setting that relaxes the group access
>>> permissions on the jailkit. Now I just have one more problem.  When
>>> tomcat creates files in these user directories I need the permissions
>>> to be set appropriately.  What is the best way to set the umask value
>>> when running tomcat using jsvc?
>
> Replying to myself : upon further reflection, I am not even sure that
> Java would have a method to do this, since it is supposed to be
> platform-independent, and setting filesystem permissions and group
> ownership is rather on the platform-dependent side.

Correct: Java does not provide any permissions-adjusting behavior except
things like "read-only" through the java.io.File class.

On the other hand, the umask of the JVM process should be whatever the
umask was for the shell that started it. So, if the umask is 022, you
should get files that are readable by anyone. Is that not what you are
experiencing, epicwinter?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEUEARECAAYFAkmLZ8wACgkQ9CaO5/Lv0PCsqwCY32MByPxZLRu6dtyVq5+HD2tK
DQCfWHH4qrLiOO2sO7wkHYeYZ66h3hU=
=Enfl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: running tomcat with root user.....umask in jsvc?

[André Warnier <aw...@ice-sa.com>]

André Warnier wrote:
> epicwinter@hotmail.com wrote:
>> You are correct, I found a setting that relaxes the group access 
>> permissions on the jailkit. 
>> Now I just have one more problem.  When tomcat creates files in these 
>> user directories I need the permissions to be set appropriately.  What 
>> is the best way to set the umask value when running tomcat using jsvc?
>>
> That's a good question.
> I don't think jsvc would take any account of the Tomcat user's .profile 
> file.
> ACLs would allow you to do that however :-)
> (Seriously, I believe you can set an ACL on the target directory that 
> would make it so that when this particular user (Tomcat) creates a file 
> there, it has by default a given set of permissions).
> Otherwise, you might have to do some kind of chmod from within your 
> webapp itself, after it creates the file. I don't know what Java method 
> that would be.
> 
Replying to myself : upon further reflection, I am not even sure that 
Java would have a method to do this, since it is supposed to be 
platform-independent, and setting filesystem permissions and group 
ownership is rather on the platform-dependent side.
How often do such upload requests come in ? I'm thinking that if this is 
a single-platform solution, and file uploads don't come up tens per 
second at a time, it may be possible (though I also don't know how) to 
simply execute an OS-level command (chmod 0xxx filename; chgroup xxxxx 
filename) from within a Tomcat webapp, or a servlet filter that would 
run after the webapp.

Otherwise, ACLs are complicated in terms of understanding the 
documentation of setfacl; but once you have it down, it is after all 
only a matter of running a single setfacl command once on each of your 
target directories. And it has the advantage of being done totally 
outside of your webapp, once and for all. It "sticks" to the directory, 
not to your code.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: running tomcat with root user.....umask in jsvc?

[André Warnier <aw...@ice-sa.com>]

epicwinter@hotmail.com wrote:
> You are correct, I found a setting that relaxes the group access permissions on the jailkit.  
> 
> Now I just have one more problem.  When tomcat creates files in these user directories I need the permissions to be set appropriately.  What is the best way to set the umask value when running tomcat using jsvc?
> 
That's a good question.
I don't think jsvc would take any account of the Tomcat user's .profile 
file.
ACLs would allow you to do that however :-)
(Seriously, I believe you can set an ACL on the target directory that 
would make it so that when this particular user (Tomcat) creates a file 
there, it has by default a given set of permissions).
Otherwise, you might have to do some kind of chmod from within your 
webapp itself, after it creates the file. I don't know what Java method 
that would be.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org