You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andres Riancho <an...@gmail.com> on 2015/12/03 14:42:40 UTC
Tomcat log files - Strict permissions - setuid
List,
I'm trying to secure my tomcat instances. One of the steps I took
was to run the tomcat process using the non-privileged "tomcat" user,
and set the file system permissions as restrictive as possible. It all
works well, but there is something missing: "The tomcat user is able
to read the access log files":
root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
...
-rw-rw---- 1 tomcat tomcat 0 Dec 1 19:46 0.0.0.0_access_log.2015-12-01.txt
Is there any way to configure tomcat to be able to write to the
access log file, but have the file owned by root with permissions 600?
I understand that this is done by starting the tomcat process as root
and then dropping privileges using setuid() , but was unable to find
something already built / well documented.
Ideas?
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat log files - Strict permissions - setuid
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Thu, Dec 03, 2015 at 10:42:40AM -0300, Andres Riancho wrote:
> List,
>
> I'm trying to secure my tomcat instances. One of the steps I took
> was to run the tomcat process using the non-privileged "tomcat" user,
> and set the file system permissions as restrictive as possible. It all
> works well, but there is something missing: "The tomcat user is able
> to read the access log files":
>
> root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
> ...
> -rw-rw---- 1 tomcat tomcat 0 Dec 1 19:46 0.0.0.0_access_log.2015-12-01.txt
One fancier approach would be to configure a log sink which passes
records to another process through a socket -- syslog, for example.
There are syslog Handler implementations for java.util.logging, or you
could cook up a custom log recorder to receive from the stock
j.u.l.SocketHandler, or you could configure Tomcat to use
slf4j/logback and its syslog appender. This will not be simple but it
will be quite adaptable. You should probably look at simpler methods
first.
> Is there any way to configure tomcat to be able to write to the
> access log file, but have the file owned by root with permissions 600?
> I understand that this is done by starting the tomcat process as root
> and then dropping privileges using setuid() , but was unable to find
> something already built / well documented.
That is what the Commons Daemon tool (jsvc) is for. That should be a
lot simpler.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Re: Tomcat log files - Strict permissions - setuid
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Andres,
On 12/3/15 8:42 AM, Andres Riancho wrote:
> List,
>
> I'm trying to secure my tomcat instances. One of the steps I took
> was to run the tomcat process using the non-privileged "tomcat" user,
> and set the file system permissions as restrictive as possible. It all
> works well, but there is something missing: "The tomcat user is able
> to read the access log files":
>
> root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
> ...
> -rw-rw---- 1 tomcat tomcat 0 Dec 1 19:46 0.0.0.0_access_log.2015-12-01.txt
>
> Is there any way to configure tomcat to be able to write to the
> access log file, but have the file owned by root with permissions 600?
> I understand that this is done by starting the tomcat process as root
> and then dropping privileges using setuid() , but was unable to find
> something already built / well documented.
How do you launch Tomcat? If you use the scripts, you could use
something like bin/setenv.sh to check the permissions of the log files
and refuse to start if they aren't the way you want them.
For files that don't already exist, you'll have to refuse to start if
they don't exist, because a process can't create a new file owned by
another user. You'd have to disable file-rotation because of the same
problem.
Are you more worried about a hostile web application running within your
server, a hostile remote user, a vulnerability in a web application, or
a vulnerability in Tomcat?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org