You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sonja Löhr <so...@t-online.de> on 2003/09/01 16:19:49 UTC
permissions for Tomcat+Apache integration
Hello!
Here is my second question, now concerning Apache+Tomcat integration on
Linux:
Could someone tell me a reasonable users, groups and file permissions
structure for apache, the tomcat-files itself and a typical webapp? - Java
security aside.
1. Is it a good idea at all to place the webapps under apache's document
root, having to care about all WEB-INF and other sensible directories with
"deny from all" ?
2. Which account in which group?
Apache needs access to static files somewhere in the webapp. (Which may be
very dispersed f.e. in case of cocoon).
If a "tomcat" user and the "apache" user account are in the same group with
restricted permissions, I can't assign permissions to a group of developers,
just another owner (me ;-). Ok, may it be. Additionally, if tomcat unpacks
war files, all resulting directories are owned by tomcat alone. So should I
put the "apache user into the "tomcat" group?
3.How paranoid must I be about tomcat-files (server-directory f.e)?
Tomcat needs write access to some directories, but certainly I don't know
all processes tomcat.
You probably guess by now that I'm not grown up with Unix-systems.
Spent my whole sunday with chmod and chown, now I would be very happy if
someone told me something SIMPLE :-)
Thank you,
Sonja
Re: permissions for Tomcat+Apache integration
Posted by Sonja Löhr <so...@t-online.de>.
With the users: I thought of this strategy (one usr for both), too. Then
one must be able to log-in or "su" to the apache-user to start tomcat,
which I disallowed (book-advice ;-) by now. Or is there a way let apache
start tomcat?
> Could you clarify?
I hardly have any JSPs by now.
We unfortunately have a directory with needed files outside WEB-INF,
which I will change.
The other thing I meant was that I find it difficult to write the [uri:]
directives when Cocoon-Apps are involved - I think I would have to adopt
the URIs used in cocoon-pipelines (and the directory structure) to the
apache+tomcat task, too, they almost never have to do anything with the
filesystem.
Sonja
Am Die, 2003-09-02 um 14.50 schrieb John Turner:
> Could you clarify?
>
> If you are using Apache, and you have *.jsp mapped correctly, your
> "programming resources" won't be shown to the world.
>
> Since all servlets are under WEB-INF, all you have to be concerned about
> are JSP. Properties files, etc. go under WEB-INF, as well. Applciation
> architecture best practices says don't put anything critical in a JSP,
> so what's the big risk?
>
> Going back to your earlier question, I simply set up a certain user
> account for both Apache and Tomcat. "webuser" or whatever. That user
> has restricted permissions and is a member of its own group (also
> "webuser" or whatever). Apache and Tomcat run as this user. Since
> developers should never have access to the command line on a production
> server, there's no problem.
>
> John
>
> Sonja Löhr wrote:
>
> > You are very right in that my greatest problem is to work out a pattern
> > where to find the "static content" hides that Apache could perhaps serve a
> > bit faster. Unfortunately, I can't tell Apache to serve ".gif" etc. but
> > must come the other way round, perhaps ending up with URLs to single
> > servlets.
> > Many people cite security-reasons for the integration of the two, but all
> > I've been bothered up to now is how to prevent Apache to show my programming
> > ressources to the world (those unfortunately not located in WEB-INF).
> >
> > I'll be thinking about doing it separately, you really calmed me down :-)
> > thanks very much
> > Sonja
> >
> >
> >
> > ----- Original Message -----
> > From: "Eric J. Pinnell" <er...@iCky.org>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > Sent: Monday, September 01, 2003 4:28 PM
> > Subject: Re: permissions for Tomcat+Apache integration
> >
> >
> > Hi,
> >
> > The question is do you need to secure your application from the outside
> > world or do you need to secure it from users that might be logging on to
> > your system? Or both?
> >
> > Usually you want to go with the "both" scenerio.
> >
> > But to keep it simple, pick a user that you want tomcat to run as. Untar
> > Tomcat and chown -R tomcat jakarta-4.x.x (if the user is named "tomcat"
> > which isn't a bad name for the Tomcat user ;)
> >
> > Then just run it. It will be ok just like that. If you are running
> > Tomcat and Apache on the same machine really look at why you are running
> > Apache at all. It's a popular misconception that you _must_ run Apache in
> > front of Tomcat. That couldn't be more wrong. Running Tomcat alone will
> > save you the hassle of Apache and the connectors. However you do need to
> > run Apache if you are going to use load balanceing and the apache
> > modules. However most times people just have Apache pipe everything back
> > to Tomcat. In this case you don't need Apache at all.
> >
> > -e
> >
> > On Mon, 1 Sep 2003, [iso-8859-1] Sonja Löhr wrote:
> >
> >
> >>Hello!
> >>
> >>Here is my second question, now concerning Apache+Tomcat integration on
> >>Linux:
> >>Could someone tell me a reasonable users, groups and file permissions
> >>structure for apache, the tomcat-files itself and a typical webapp? -
> >
> > Java
> >
> >>security aside.
> >>
> >>1. Is it a good idea at all to place the webapps under apache's document
> >>root, having to care about all WEB-INF and other sensible directories with
> >>"deny from all" ?
> >>
> >>2. Which account in which group?
> >>Apache needs access to static files somewhere in the webapp. (Which may be
> >>very dispersed f.e. in case of cocoon).
> >> If a "tomcat" user and the "apache" user account are in the same group
> >
> > with
> >
> >>restricted permissions, I can't assign permissions to a group of
> >
> > developers,
> >
> >>just another owner (me ;-). Ok, may it be. Additionally, if tomcat
> >
> > unpacks
> >
> >>war files, all resulting directories are owned by tomcat alone. So should
> >
> > I
> >
> >>put the "apache user into the "tomcat" group?
> >>
> >>3.How paranoid must I be about tomcat-files (server-directory f.e)?
> >>Tomcat needs write access to some directories, but certainly I don't know
> >>all processes tomcat.
> >>
> >>You probably guess by now that I'm not grown up with Unix-systems.
> >>Spent my whole sunday with chmod and chown, now I would be very happy if
> >>someone told me something SIMPLE :-)
> >>
> >>Thank you,
> >>Sonja
> >>
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Re: permissions for Tomcat+Apache integration
Posted by John Turner <to...@johnturner.com>.
Could you clarify?
If you are using Apache, and you have *.jsp mapped correctly, your
"programming resources" won't be shown to the world.
Since all servlets are under WEB-INF, all you have to be concerned about
are JSP. Properties files, etc. go under WEB-INF, as well. Applciation
architecture best practices says don't put anything critical in a JSP,
so what's the big risk?
Going back to your earlier question, I simply set up a certain user
account for both Apache and Tomcat. "webuser" or whatever. That user
has restricted permissions and is a member of its own group (also
"webuser" or whatever). Apache and Tomcat run as this user. Since
developers should never have access to the command line on a production
server, there's no problem.
John
Sonja Löhr wrote:
> You are very right in that my greatest problem is to work out a pattern
> where to find the "static content" hides that Apache could perhaps serve a
> bit faster. Unfortunately, I can't tell Apache to serve ".gif" etc. but
> must come the other way round, perhaps ending up with URLs to single
> servlets.
> Many people cite security-reasons for the integration of the two, but all
> I've been bothered up to now is how to prevent Apache to show my programming
> ressources to the world (those unfortunately not located in WEB-INF).
>
> I'll be thinking about doing it separately, you really calmed me down :-)
> thanks very much
> Sonja
>
>
>
> ----- Original Message -----
> From: "Eric J. Pinnell" <er...@iCky.org>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Monday, September 01, 2003 4:28 PM
> Subject: Re: permissions for Tomcat+Apache integration
>
>
> Hi,
>
> The question is do you need to secure your application from the outside
> world or do you need to secure it from users that might be logging on to
> your system? Or both?
>
> Usually you want to go with the "both" scenerio.
>
> But to keep it simple, pick a user that you want tomcat to run as. Untar
> Tomcat and chown -R tomcat jakarta-4.x.x (if the user is named "tomcat"
> which isn't a bad name for the Tomcat user ;)
>
> Then just run it. It will be ok just like that. If you are running
> Tomcat and Apache on the same machine really look at why you are running
> Apache at all. It's a popular misconception that you _must_ run Apache in
> front of Tomcat. That couldn't be more wrong. Running Tomcat alone will
> save you the hassle of Apache and the connectors. However you do need to
> run Apache if you are going to use load balanceing and the apache
> modules. However most times people just have Apache pipe everything back
> to Tomcat. In this case you don't need Apache at all.
>
> -e
>
> On Mon, 1 Sep 2003, [iso-8859-1] Sonja Löhr wrote:
>
>
>>Hello!
>>
>>Here is my second question, now concerning Apache+Tomcat integration on
>>Linux:
>>Could someone tell me a reasonable users, groups and file permissions
>>structure for apache, the tomcat-files itself and a typical webapp? -
>
> Java
>
>>security aside.
>>
>>1. Is it a good idea at all to place the webapps under apache's document
>>root, having to care about all WEB-INF and other sensible directories with
>>"deny from all" ?
>>
>>2. Which account in which group?
>>Apache needs access to static files somewhere in the webapp. (Which may be
>>very dispersed f.e. in case of cocoon).
>> If a "tomcat" user and the "apache" user account are in the same group
>
> with
>
>>restricted permissions, I can't assign permissions to a group of
>
> developers,
>
>>just another owner (me ;-). Ok, may it be. Additionally, if tomcat
>
> unpacks
>
>>war files, all resulting directories are owned by tomcat alone. So should
>
> I
>
>>put the "apache user into the "tomcat" group?
>>
>>3.How paranoid must I be about tomcat-files (server-directory f.e)?
>>Tomcat needs write access to some directories, but certainly I don't know
>>all processes tomcat.
>>
>>You probably guess by now that I'm not grown up with Unix-systems.
>>Spent my whole sunday with chmod and chown, now I would be very happy if
>>someone told me something SIMPLE :-)
>>
>>Thank you,
>>Sonja
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Re: permissions for Tomcat+Apache integration
Posted by Sonja Löhr <so...@t-online.de>.
You are very right in that my greatest problem is to work out a pattern
where to find the "static content" hides that Apache could perhaps serve a
bit faster. Unfortunately, I can't tell Apache to serve ".gif" etc. but
must come the other way round, perhaps ending up with URLs to single
servlets.
Many people cite security-reasons for the integration of the two, but all
I've been bothered up to now is how to prevent Apache to show my programming
ressources to the world (those unfortunately not located in WEB-INF).
I'll be thinking about doing it separately, you really calmed me down :-)
thanks very much
Sonja
----- Original Message -----
From: "Eric J. Pinnell" <er...@iCky.org>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Monday, September 01, 2003 4:28 PM
Subject: Re: permissions for Tomcat+Apache integration
Hi,
The question is do you need to secure your application from the outside
world or do you need to secure it from users that might be logging on to
your system? Or both?
Usually you want to go with the "both" scenerio.
But to keep it simple, pick a user that you want tomcat to run as. Untar
Tomcat and chown -R tomcat jakarta-4.x.x (if the user is named "tomcat"
which isn't a bad name for the Tomcat user ;)
Then just run it. It will be ok just like that. If you are running
Tomcat and Apache on the same machine really look at why you are running
Apache at all. It's a popular misconception that you _must_ run Apache in
front of Tomcat. That couldn't be more wrong. Running Tomcat alone will
save you the hassle of Apache and the connectors. However you do need to
run Apache if you are going to use load balanceing and the apache
modules. However most times people just have Apache pipe everything back
to Tomcat. In this case you don't need Apache at all.
-e
On Mon, 1 Sep 2003, [iso-8859-1] Sonja Löhr wrote:
> Hello!
>
> Here is my second question, now concerning Apache+Tomcat integration on
> Linux:
> Could someone tell me a reasonable users, groups and file permissions
> structure for apache, the tomcat-files itself and a typical webapp? -
Java
> security aside.
>
> 1. Is it a good idea at all to place the webapps under apache's document
> root, having to care about all WEB-INF and other sensible directories with
> "deny from all" ?
>
> 2. Which account in which group?
> Apache needs access to static files somewhere in the webapp. (Which may be
> very dispersed f.e. in case of cocoon).
> If a "tomcat" user and the "apache" user account are in the same group
with
> restricted permissions, I can't assign permissions to a group of
developers,
> just another owner (me ;-). Ok, may it be. Additionally, if tomcat
unpacks
> war files, all resulting directories are owned by tomcat alone. So should
I
> put the "apache user into the "tomcat" group?
>
> 3.How paranoid must I be about tomcat-files (server-directory f.e)?
> Tomcat needs write access to some directories, but certainly I don't know
> all processes tomcat.
>
> You probably guess by now that I'm not grown up with Unix-systems.
> Spent my whole sunday with chmod and chown, now I would be very happy if
> someone told me something SIMPLE :-)
>
> Thank you,
> Sonja
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: permissions for Tomcat+Apache integration
Posted by "Eric J. Pinnell" <er...@iCky.org>.
Hi,
The question is do you need to secure your application from the outside
world or do you need to secure it from users that might be logging on to
your system? Or both?
Usually you want to go with the "both" scenerio.
But to keep it simple, pick a user that you want tomcat to run as. Untar
Tomcat and chown -R tomcat jakarta-4.x.x (if the user is named "tomcat"
which isn't a bad name for the Tomcat user ;)
Then just run it. It will be ok just like that. If you are running
Tomcat and Apache on the same machine really look at why you are running
Apache at all. It's a popular misconception that you _must_ run Apache in
front of Tomcat. That couldn't be more wrong. Running Tomcat alone will
save you the hassle of Apache and the connectors. However you do need to
run Apache if you are going to use load balanceing and the apache
modules. However most times people just have Apache pipe everything back
to Tomcat. In this case you don't need Apache at all.
-e
On Mon, 1 Sep 2003, [iso-8859-1] Sonja Löhr wrote:
> Hello!
>
> Here is my second question, now concerning Apache+Tomcat integration on
> Linux:
> Could someone tell me a reasonable users, groups and file permissions
> structure for apache, the tomcat-files itself and a typical webapp? - Java
> security aside.
>
> 1. Is it a good idea at all to place the webapps under apache's document
> root, having to care about all WEB-INF and other sensible directories with
> "deny from all" ?
>
> 2. Which account in which group?
> Apache needs access to static files somewhere in the webapp. (Which may be
> very dispersed f.e. in case of cocoon).
> If a "tomcat" user and the "apache" user account are in the same group with
> restricted permissions, I can't assign permissions to a group of developers,
> just another owner (me ;-). Ok, may it be. Additionally, if tomcat unpacks
> war files, all resulting directories are owned by tomcat alone. So should I
> put the "apache user into the "tomcat" group?
>
> 3.How paranoid must I be about tomcat-files (server-directory f.e)?
> Tomcat needs write access to some directories, but certainly I don't know
> all processes tomcat.
>
> You probably guess by now that I'm not grown up with Unix-systems.
> Spent my whole sunday with chmod and chown, now I would be very happy if
> someone told me something SIMPLE :-)
>
> Thank you,
> Sonja
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>