tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Turner <j...@socialchange.net.au>
Subject Re: Fw: Tomcat security questions
Date Sat, 22 Sep 2001 02:14:35 GMT
On Thu, Sep 20, 2001 at 02:27:33PM -0500, Jonathan Eric Miller wrote:
> 
> I'm wondering if anyone has any suggestions on how to best setup Tomcat for
> maximum security?

Against what threat? Are you worried about:
 - DoS attacks
 - Attacks exploiting weaknesses in Tomcat itself (eg directory traversal)
 - Webapps doing nasty stuff

I presume it's up to how you configure the connector to prevent DoS attacks.
Tomcat's HTTP1.1 connector has a "acceptCount" attribute, which can stop
endless requests from being queued when Tomcat is fully loaded already.

Tomcat has had quite a few "directory traversal" type attacks, where a weirdly
formatted request gained you access to files you shouldn't. I suppose a
chrooted environment helps here. It won't help for bugs allowing access to
uninterpreted JSPs, or access to WEB-INF/*. So don't put passwords in JSPs :P

"Webapps doing nasty stuff" can be prevented by starting Tomcat with a security
manager ('./startup.sh -security'), and properly setting your policy file.

> Currently, I'm running Tomcat in a chrooted environment.
>
> I see that there is also a way to run Tomcat as a non-root user. I'm
> wondering what the best configuration is.
>
> It seems like running it chrooted is probably the best way to go.
>
> Also, I'm wondering how much of an issue buffer overflows are for Tomcat
> considering it's written in Java which as far as I know makes them close to
> impossible. You would have to basically find an over flow in the JVM, right?

I think so. Even if there was an overflow in the JVM, you probably couldn't
exploit it, since the language is strictly defined, and all bytecode gets
validated before being run. But then, there was that Netscape exploit a while
ago.. can't remember how that worked.

> Any other suggestions on how Tomcat should be configured for security?i.e.
> removing sample applications, etc.

It's only as secure as the operating system you run it on. You know what that
implies.. ;)

Stuff to read: 

"Low Level Security in Java"  http://java.sun.com/sfaq/verifier.html
"The class file format"  http://java.sun.com/docs/books/vmspec/html/ClassFile.doc.html

--Jeff

> Jon

Mime
View raw message