tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 22405] - warn if not deploy with umask "0077" or if deployed as "root" and provide tutorial URL "Secure deployment"
Date Thu, 14 Aug 2003 14:12:28 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22405>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22405

warn if not deploy with umask "0077" or if deployed as "root" and provide tutorial URL "Secure
deployment"

hauser@acm.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netshark@sharkplanet.com
            Summary|deploy as 700 and additional|warn if not deploy with
                   |attribute to be less        |umask "0077" or if deployed
                   |restrictive                 |as "root" and provide
                   |                            |tutorial URL "Secure
                   |                            |deployment"



------- Additional Comments From hauser@acm.org  2003-08-14 14:12 -------
Ok, I might have misunderstood somebody such that I thought that tomcat only
runs under root which it obviously does not (I tested it now; and yes, even
before this post, I did use sudo).

In order to avoid novices like myself falling into these traps, I suggest the
following 3 enhancements:
1) warn if tomcat sees itself running as "root" and print a tutorial URL into
   catalina.out
2) warn if tomcat sees its umask as being other than ***7 (i.e. if its output
   is world-readable) and print the same tutorial URL
3) create the tutorial page how to deploy securely (I am happy to be the first
   tester/contributor there!)

Re: how to set owners/permissions from inside Java
  --> a quick google search yielded the following (untested) results
http://www.aoindustries.com/docs/aocode-public/com/aoindustries/io/unix/UnixFile.html
http://www.xenonsoft.demon.co.uk/products/javaunix/docs/api/javaunix/io/UnixFile.html

Former "Summary: deploy as 700 and additional attribute to be less restrictive"

Further safeguard ideas to achieve secure deployment out of the Java-oriented
world (tomcat/ant) are described in
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22370 and
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22417 .

Mime
View raw message