Default permissions security issue

[Chad Loder <cl...@acm.org>]

Hello. I have successfully deployed my first test servlet
using Tomcat as a standalone container. I am concerned with
the default filesystem permissions given to my servlet
by Tomcat.

When my servlet is deployed under:

	tomcat_dir/webapps/mycontext

the servlet is allowed to create the following directory:

	tomcat_dir/mydir

It seems to me that the servlet, by default, should have
NO filesystem permissions outside of its deployment context.

Is this behavior by design, and if so, why? :)

Also if so, is there a way to disable it without hacking the
source code?

Thanks,

	Chad Loder

Re: Default permissions security issue

[Chad Loder <cl...@acm.org>]

At 06:08 PM 11/5/2000 -0800, you wrote:
>Chad Loder wrote:
>
> > Thanks Craig.
> >
> > I assumed that Tomcat installed the Java security manager by
> > default. This would be the reasonable approach as long as
> > Tomcat wasn't aiming to support pre-Java2 platforms (e.g.,
> > JDK 1.1). Is this in fact the case?
> >
>
>No it isn't -- you have to specifically enable this, because you need to set
>up the policy permissions file ($TOMCAT_HOME/conf/tomcat.policy) to meet your
>needs, and there is no reasonable way for Tomcat to set defaults that meet
>every circumstance.

The beauty of defaults is that they don't have to meet every circumstance.
That's why they are called defaults. :P

>No, just looking in the wrong place :-)
>
>Security manager support is a 3.2 feature -- it's not there in 3.1.  The file
>is "doc/uguide/tomcat_security.txt".  It's also visible online:
>
><http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/uguide/tomcat_security.txt>

Ah, thanks.
         c

Re: Default permissions security issue

["Craig R. McClanahan" <Cr...@eng.sun.com>]

Chad Loder wrote:

> Thanks Craig.
>
> I assumed that Tomcat installed the Java security manager by
> default. This would be the reasonable approach as long as
> Tomcat wasn't aiming to support pre-Java2 platforms (e.g.,
> JDK 1.1). Is this in fact the case?
>

No it isn't -- you have to specifically enable this, because you need to set
up the policy permissions file ($TOMCAT_HOME/conf/tomcat.policy) to meet your
needs, and there is no reasonable way for Tomcat to set defaults that meet
every circumstance.

>
> I've looked through the documentation directory and I
> did not find anything about setting up Java permissions with
> Tomcat. I have the following stuff in my tomcat/doc directory:
>
> appdev/
> faq
> readme
> uguide/
>
> none of which explained this procedure. Am I missing some
> documentation or just not looking hard enough?
>

No, just looking in the wrong place :-)

Security manager support is a 3.2 feature -- it's not there in 3.1.  The file
is "doc/uguide/tomcat_security.txt".  It's also visible online:

<http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/uguide/tomcat_security.txt>

>
> Thanks,
>          Chad

Craig


>
> At 04:54 PM 11/5/2000 -0800, you wrote:
> >Chad Loder wrote:
> >
> > > Hello. I have successfully deployed my first test servlet
> > > using Tomcat as a standalone container. I am concerned with
> > > the default filesystem permissions given to my servlet
> > > by Tomcat.
> > >
> > > When my servlet is deployed under:
> > >
> > >         tomcat_dir/webapps/mycontext
> > >
> > > the servlet is allowed to create the following directory:
> > >
> > >         tomcat_dir/mydir
> > >
> > > It seems to me that the servlet, by default, should have
> > > NO filesystem permissions outside of its deployment context.
> > >
> >
> >All of the servlets run in a single instance of Tomcat are running
> >inside a single JVM process, so they all (from the point of view of the
> >operating system) have a single user identity.  Thus, by default, any
> >servlet has access to any file accessible to the username you are
> >starting Tomcat under.
> >
> > >
> > > Is this behavior by design, and if so, why? :)
> > >
> > > Also if so, is there a way to disable it without hacking the
> > > source code?
> > >
> >
> >If you are running version 3.2 of Tomcat on a JDK 1.2 or 1.3 system, you
> >can set up web applications to run under a Java security manager, which
> >can be used to limit web app access to files, network ports, the ability
> >to start threads, and everything else controllable through the Java
> >security model.  There's instructions for setting this up in the
> >documentation directory.
> >
> >If you want to try to rely on operating system file permissions, the
> >best you can do is run multiple instances of Tomcat, each under an
> >appropriate OS username.
> >
> > >
> > > Thanks,
> > >
> > >         Chad Loder
> >
> >Craig McClanahan

Re: Default permissions security issue

[Chad Loder <cl...@acm.org>]

Thanks Craig.

I assumed that Tomcat installed the Java security manager by
default. This would be the reasonable approach as long as
Tomcat wasn't aiming to support pre-Java2 platforms (e.g.,
JDK 1.1). Is this in fact the case?

I've looked through the documentation directory and I
did not find anything about setting up Java permissions with
Tomcat. I have the following stuff in my tomcat/doc directory:

appdev/
faq
readme
uguide/

none of which explained this procedure. Am I missing some
documentation or just not looking hard enough?

Thanks,
         Chad



At 04:54 PM 11/5/2000 -0800, you wrote:
>Chad Loder wrote:
>
> > Hello. I have successfully deployed my first test servlet
> > using Tomcat as a standalone container. I am concerned with
> > the default filesystem permissions given to my servlet
> > by Tomcat.
> >
> > When my servlet is deployed under:
> >
> >         tomcat_dir/webapps/mycontext
> >
> > the servlet is allowed to create the following directory:
> >
> >         tomcat_dir/mydir
> >
> > It seems to me that the servlet, by default, should have
> > NO filesystem permissions outside of its deployment context.
> >
>
>All of the servlets run in a single instance of Tomcat are running
>inside a single JVM process, so they all (from the point of view of the
>operating system) have a single user identity.  Thus, by default, any
>servlet has access to any file accessible to the username you are
>starting Tomcat under.
>
> >
> > Is this behavior by design, and if so, why? :)
> >
> > Also if so, is there a way to disable it without hacking the
> > source code?
> >
>
>If you are running version 3.2 of Tomcat on a JDK 1.2 or 1.3 system, you
>can set up web applications to run under a Java security manager, which
>can be used to limit web app access to files, network ports, the ability
>to start threads, and everything else controllable through the Java
>security model.  There's instructions for setting this up in the
>documentation directory.
>
>If you want to try to rely on operating system file permissions, the
>best you can do is run multiple instances of Tomcat, each under an
>appropriate OS username.
>
> >
> > Thanks,
> >
> >         Chad Loder
>
>Craig McClanahan

Re: Default permissions security issue

["Craig R. McClanahan" <Cr...@eng.sun.com>]

Chad Loder wrote:

> Hello. I have successfully deployed my first test servlet
> using Tomcat as a standalone container. I am concerned with
> the default filesystem permissions given to my servlet
> by Tomcat.
>
> When my servlet is deployed under:
>
>         tomcat_dir/webapps/mycontext
>
> the servlet is allowed to create the following directory:
>
>         tomcat_dir/mydir
>
> It seems to me that the servlet, by default, should have
> NO filesystem permissions outside of its deployment context.
>

All of the servlets run in a single instance of Tomcat are running
inside a single JVM process, so they all (from the point of view of the
operating system) have a single user identity.  Thus, by default, any
servlet has access to any file accessible to the username you are
starting Tomcat under.

>
> Is this behavior by design, and if so, why? :)
>
> Also if so, is there a way to disable it without hacking the
> source code?
>

If you are running version 3.2 of Tomcat on a JDK 1.2 or 1.3 system, you
can set up web applications to run under a Java security manager, which
can be used to limit web app access to files, network ports, the ability
to start threads, and everything else controllable through the Java
security model.  There's instructions for setting this up in the
documentation directory.

If you want to try to rely on operating system file permissions, the
best you can do is run multiple instances of Tomcat, each under an
appropriate OS username.

>
> Thanks,
>
>         Chad Loder

Craig McClanahan