virtual hosting questions

[Guenther Starnberger <gs...@atnet.at>]

hello list,

i am having trouble to configure tomcat (on linux) to support several
vhosts for untrusted users. (i can't find any good documentation on
this topic).

currently i am using the mod_webapp apache module.

in server.xml i did configure one engine:

<Engine className="org.apache.catalina.connector.warp.WarpEngine" name="tomcat.sysfrog.org" debug="0">

and several subvhosts (under this engine):

<Host name="test3.sysfrog.org" debug="0" appBase="/home/web/test3.sysfrog.org/webapps" unpackWARs="false" />

the configuration seems to work, but i can't find any documentation
about security aspects.

is this configuration "safe", or would users have the possibility to
affect other users vhosts. should i use one engine per user?

do i need any additional security settings to e.g. prevent users from
deleting files owned by the tomcat uid?

how can i define one tomcat-users.xml per virtual host? are there any
major disadvantages when using a shared tomcat instance?

references to good documentation/books on this topic would be greatly
appreciated.

/gst

-- 
sysfrog.org

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: virtual hosting questions

[Guenther Starnberger <gs...@atnet.at>]

"Nikola Milutinovic" <Ni...@ev.co.yu> writes:

hello,

> If you're running Tomcat-standalone, then you need <Host> elements,
> but in Warp it should work without them. I think Warp Engine should
> ignore <Host> elements. Or maybe it doesn't. Maybe it is used to
> setup different "appBase"-s for each of the vhosts.

yop... i use it for the appBase's.

> > do i need any additional security settings to e.g. prevent users
> > from deleting files owned by the tomcat uid?

> You'd have this problem with Apache VHost as well. How do you make
> it possible for one user (httpd) to access directories in several
> other user's homes and still prevent individual users access to each
> others files? I'm using ACLs on Tru64 UNIX for that. Does Linux have
> ACLs? (Access Control List, just like on Windows NT or, originally,
> on VMS).

one possiblity would be to put all users in the same group and
disallow all access rights to the group. read access for "others"
would be set, so that apache which isn't in the same group as the user
does have the possibility to read the files.

there are several acl patches for linux too, but i haven't tried them
out yet.

> I make each vhost user a member of group "httpd", make his
> public_html accessable to group (to let Apache in), his home dir is
> set to "rwx------" + ACL "user:httpd:r-x". That way I have
> security. For Tomcat, I'd make tomcat user a member of "httpd"
> group, add ACL for "user:tomcat:r-x" and set $USER/webapp to have
> rwxr-x--- access rights, just like public_html.

hmm.. with apache i only use suexec for all cgi and php stuff. when
using tomcat each user does have the possibility to execute java code
under the tomcat uid.

according to the docs (haven't tried it out yet) i can set a security
policy in catalina.policy. is this enough to prevent users to snoop on
other users via tomcat? is there something similiar to php's safemode
where each user can only read files owned by his uid?

cu
/gst



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: virtual hosting questions

[August Detlefsen <au...@yahoo.com>]

--- Nikola Milutinovic <Ni...@ev.co.yu> wrote:
> 
> > how can i define one tomcat-users.xml per virtual host? are there
> any
> > major disadvantages when using a shared tomcat instance?
> 
> You can't. If you really want security, you should be running one
> Tomcat instance per VHost. That way even if one engine crashes,
> others will continue to run. Not to mentions that if one webapp runs
> astray, creating threads, it will swamp only that VHost. Of course,
> this is for extreme requirements, only.

You can... 

Within each <Host> you can specify a MemoryRealm like this: 

      <Host name="www.mysite.net" debug="0"
appBase="/path/to/www.mysite.net" unpackWARs="true">

        <Realm className="org.apache.catalina.realm.MemoryRealm"
               digest="MD5"
              
pathname="/path/to/www.mysite.net/WEB-INF/tomcat-users.xml" />

If you specify an additional MemoryRealm outside of your Host elements
it will be shared by all vhosts and will look for its users in
$CATALINA_HOME/conf/tomcat-users.xml

-August

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: virtual hosting questions

[Nikola Milutinovic <Ni...@ev.co.yu>]

> i am having trouble to configure tomcat (on linux) to support several
> vhosts for untrusted users. (i can't find any good documentation on
> this topic).

It is truely lacking.

> currently i am using the mod_webapp apache module.
> in server.xml i did configure one engine:
> 
> <Engine className="org.apache.catalina.connector.warp.WarpEngine" name="tomcat.sysfrog.org" debug="0">
> 
> and several subvhosts (under this engine):
> 
> <Host name="test3.sysfrog.org" debug="0" appBase="/home/web/test3.sysfrog.org/webapps" unpackWARs="false" />

Is this neccessary? My understanding of WARP connection is that you don't need <Host> elements in it. You just need one <Engine> per WarpConnection statement in Apache and then you WebAppDeploy a desired context. Since Apache will be handling all HTTP elements, like VHost and similar, there is no need for additional definition in Tomcat.

If you're running Tomcat-standalone, then you need <Host> elements, but in Warp it should work without them. I think Warp Engine should ignore <Host> elements. Or maybe it doesn't. Maybe it is used to setup different "appBase"-s for each of the vhosts.

Any comments?

> the configuration seems to work, but i can't find any documentation
> about security aspects.
> 
> is this configuration "safe", or would users have the possibility to
> affect other users vhosts. should i use one engine per user?

There should/must be one engine/connector/service per Apache's WebAppConnection, the way I understand it. You are absolutely right, the documentation is painfully lacking. Even the example in server.xml is insufficient.

> do i need any additional security settings to e.g. prevent users from
> deleting files owned by the tomcat uid?

You'd have this problem with Apache VHost as well. How do you make it possible for one user (httpd) to access directories in several other user's homes and still prevent individual users access to each others files? I'm using ACLs on Tru64 UNIX for that. Does Linux have ACLs? (Access Control List, just like on Windows NT or, originally, on VMS).

I make each vhost user a member of group "httpd", make his public_html accessable to group (to let Apache in), his home dir is set to "rwx------" + ACL "user:httpd:r-x". That way I have security. For Tomcat, I'd make tomcat user a member of "httpd" group, add ACL for "user:tomcat:r-x" and set $USER/webapp to have rwxr-x--- access rights, just like public_html.

> how can i define one tomcat-users.xml per virtual host? are there any
> major disadvantages when using a shared tomcat instance?

You can't. If you really want security, you should be running one Tomcat instance per VHost. That way even if one engine crashes, others will continue to run. Not to mentions that if one webapp runs astray, creating threads, it will swamp only that VHost. Of course, this is for extreme requirements, only.

> references to good documentation/books on this topic would be greatly
> appreciated.

Same here.

Nix.