You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jwklomp <ja...@gmail.com> on 2011/12/14 10:05:24 UTC
Tomcat 6: what are the risks of not using Security Manager
Hello,
I'm migrating existing applications to Tomcat and setting Tomcat up as
described in the 'Security Configuration Benchmark for Apache Tomcat
5.5/6.0' of the Center of Internet Security.
The benchmark recommends enabling the Security Manager. However, I'm
experiencing that none of the apps run 'out of the box' with the Security
Manager enabled. I'm contemplating not activating it, but find it hard
estimate the risk.
Our Security department is worried that without the Security Manager
enabled, hackers can gain access to restricted packages, take control over
Tomcat and 'hop' to other applications and machines (so basically this would
imply activating the Security Manager for all applications).
My question is: how secure is Tomcat without the Security Manager enabled
(assuming other points from the CIS benchmark have been implemented). Is the
Security Manager the guard against 'hopping' to other applications, or does
Tomcat without the Security Manager already prevent this?
Regards, Jan-Willem
--
View this message in context: http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6: what are the risks of not using Security Manager
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jan-Willem,
On 12/14/11 4:05 AM, jwklomp wrote:
> I'm migrating existing applications to Tomcat and setting Tomcat up
> as described in the 'Security Configuration Benchmark for Apache
> Tomcat 5.5/6.0' of the Center of Internet Security.
>
> The benchmark recommends enabling the Security Manager. However,
> I'm experiencing that none of the apps run 'out of the box' with
> the Security Manager enabled. I'm contemplating not activating it,
> but find it hard estimate the risk.
I'll weigh-in, too, without having read Mark's and Chuck's replies, yet.
First, running Tomcat itself under a SecurityManager should work
without any problems at all, provided you launch it with the
"-security" argument when calling catalina.sh (or whatever method is
appropriate for your environment) because the catalina.policy file
that ships with Tomcat will allow Tomcat to perform all necessary
operations.
On the other hand, most non-trivial web app applications need to be
able to do a handful of things such as
* Connect to a JDBC database
* Write log files
* Request files from a remote site (think XML DTDs or XSDs)
You will be responsible for modifying the catalina.policy file to
allow your web application to perform such operations. You may find
that configuration is such a headache (there are many permissions, and
they tend to pile-up on each other) that the result is a
SecurityManager policy that essentially allows all permissions to all
code. Such a configuration is no better than having no SecurityManager
running at all. In fact, it's worse for two reasons:
1. Performance takes a hit for all the permissions checking that must
occur and
2. You are "running a SecurityManager and therefore secure" but you
really aren't secure
> Our Security department is worried that without the Security
> Manager enabled, hackers can gain access to restricted packages,
> take control over Tomcat and 'hop' to other applications and
> machines (so basically this would imply activating the Security
> Manager for all applications).
So, it's true that if you restrict your web application to only being
able to perform certain operations (such as connecting to a *specific*
port on a *specific* server for JDBC connections, and maybe writing to
a *specific* directory on your server for logging purposes) you will,
in fact, reduce the area of your vulnerable surface that attackers can
use to gain access.
On the other hand, pretty much everything you can do with a
SecurityManager (except maybe resource limits, like preventing new
Threads) can be done with other configuration as well (at least, on
any relatively decent OS). For example, if you don't want to allow
arbitrary outgoing TCP connections, simply configure your firewall
that way. If you don't want your webapp to be able to write to
anywhere on the filesystem, change your filesystem permissions or run
in a chroot jail (or both!).
Sure, security should always be considered in layers and it never
hurts to have redundant checks just in case you have one layer
misconfigured or there is some kind of bug or security vulnerability
in a particular layer. But, don't think that you "aren't secure" if
you aren't running under a SecurityManager als, likewise, don't think
that you "are secure" just because you are running one.
Frankly, the most vulnerable part of your web application is likely to
be the application itself. SANS' top 25 software errors (should really
be "vulnerabilities" IMO) lists mostly things that a SecurityManager
won't protect you against (http://www.sans.org/top25-software-errors/).
For instance, SQL injection repeatedly tops this list because
programmers are sloppy with their parametric SQL statements.
SecurityManager can't stop that. OS command injection? If you even
allow your webapp to call the OS (Runtime.exec), then SecurityManager
can't sanitize the parameters for you. XSS? File Upload? Open
Redirect? CSRF? Those are all the fault of the webapp's programmers
and cannot be protected against by running a SecurityManager.
> My question is: how secure is Tomcat without the Security Manager
> enabled (assuming other points from the CIS benchmark have been
> implemented). Is the Security Manager the guard against 'hopping'
> to other applications, or does Tomcat without the Security Manager
> already prevent this?
IMO, running a SecurityManager is a nice layer to have, but not
strictly necessary. If you are running code that you have written
in-house, and you trust your developers not to intentionally introduce
nasty code, then you should be relatively safe.
If, on the other hand, you are running code that you don't necessary
trust, or are allowing untrusted people to deploy their own webapps
onto your server, then it is absolutely imperative that you *do* run a
SecurityManager, no matter how much of a pain in the ass it is to set up.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7qGK0ACgkQ9CaO5/Lv0PA8PACdF1ObNFpKxm3SGeqZZI5JF4DL
rqUAoKgK5FOEG0OWwK/6cOyTfdEBPAmi
=uVMw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6: what are the risks of not using Security Manager
Posted by Mark Thomas <ma...@apache.org>.
jwklomp <ja...@gmail.com> wrote:
>
>Hello,
>
>I'm migrating existing applications to Tomcat and setting Tomcat up as
>described in the 'Security Configuration Benchmark for Apache Tomcat
>5.5/6.0' of the Center of Internet Security.
>
>The benchmark recommends enabling the Security Manager. However, I'm
>experiencing that none of the apps run 'out of the box' with the
>Security
>Manager enabled. I'm contemplating not activating it, but find it hard
>estimate the risk.
>
>Our Security department is worried that without the Security Manager
>enabled, hackers can gain access to restricted packages, take control
>over
>Tomcat and 'hop' to other applications and machines (so basically this
>would
>imply activating the Security Manager for all applications).
>
>My question is: how secure is Tomcat without the Security Manager
>enabled
>(assuming other points from the CIS benchmark have been implemented).
>Is the
>Security Manager the guard against 'hopping' to other applications, or
>does
>Tomcat without the Security Manager already prevent this?
>
>Regards, Jan-Willem
>--
>View this message in context:
>http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html
>Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
It may have improved but the last time I looked at the CIS
recommendations my immediate impression was that it was written by folks
with zero to little understanding of Tomcat.
Without the security manager, if an application has a serious security
vulnerability then an attacker can potentially do anything the user
running the Tomcat process can do. This is why you should never run
Tomcat as root.
With the security manager, the web application runs in a sandbox that
further limits what it can do.
The problem with the security manager is that if an app is not written
to run under a security manager - so it uses doPrivileged() - then you
often end up having grant so many permissions that there is no point
using the security manager. The other risk is that you miss a necessary
permission and break the app. My own view is that unless the app has
been written to use a security manager from the beginning the
availability risk using one creates is greater than any confidentiality
risk that using one mitigates. However, each situation is different. YMMV.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6: what are the risks of not using Security Manager
Posted by ma...@apache.org.
jwklomp <ja...@gmail.com> wrote:
>
>Hello,
>
>I'm migrating existing applications to Tomcat and setting Tomcat up as
>described in the 'Security Configuration Benchmark for Apache Tomcat
>5.5/6.0' of the Center of Internet Security.
>
>The benchmark recommends enabling the Security Manager. However, I'm
>experiencing that none of the apps run 'out of the box' with the
>Security
>Manager enabled. I'm contemplating not activating it, but find it hard
>estimate the risk.
>
>Our Security department is worried that without the Security Manager
>enabled, hackers can gain access to restricted packages, take control
>over
>Tomcat and 'hop' to other applications and machines (so basically this
>would
>imply activating the Security Manager for all applications).
>
>My question is: how secure is Tomcat without the Security Manager
>enabled
>(assuming other points from the CIS benchmark have been implemented).
>Is the
>Security Manager the guard against 'hopping' to other applications, or
>does
>Tomcat without the Security Manager already prevent this?
>
>Regards, Jan-Willem
>--
>View this message in context:
>http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html
>Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
It may have improved but the last time I looked at the CIS recommendations my immediate impression was that it was written by folks with zero to little understanding of Tomcat.
Without the security manager, if an application has a serious security vulnerability then an attacker can potentially do anything the user running the Tomcat process can do. This is why you should never run Tomcat as root.
With the security manager, the web application runs in a sandbox that further limits what it can do.
The problem with the security manager is that if an app is not written to run under a security manager - so it uses doPrivileged() - then you often end up having grant so many permissions that there is no point using the security manager. The other risk is that you miss a necessary permission and break the app. My own view is that unless the app has been written to use a security manager from the beginning the availability risk using one creates is greater than any confidentiality risk that using one mitigates. However, each situation is different. YMMV.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6: what are the risks of not using Security Manager
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: jwklomp [mailto:janwillem.klomp@gmail.com]
> Subject: Tomcat 6: what are the risks of not using Security Manager
> My question is: how secure is Tomcat without the Security Manager enabled
Tomcat itself is secure; it's your webapps you have to think about. Can they be tricked into doing things like writing to arbitrary locations in the server file system? Only you can determine that.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org