tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Kabanov <>
Subject different uid per <host> or perhaps something else
Date Sat, 17 Sep 2005 22:39:22 GMT

would like to solve the following problem, any opinion is appreciated:

I have a bundle "apache - mod_jk - tomcat" working and virtual hosts
properly configured,
everything is nice, but with a few small issues. In addition to this
configuration - each virtual
host represents different users which don't trust each other.

1. as a user1 I'm able to get to what's in the user2 home directory
(if file exec perm is allowed), here is how:

tomcat is running with security manager enabled, in catalina.policy add
something like this:

grant codeBase "file:/path/vhost1/-" {
  permission "/path/vhost1/-",

grant codeBase "file:/path/vhost2/-" {
  permission "/path/vhost2/-",

this policy prevents to open anything that is outside of /path/vhostN
, but it allows you
to create a shell script and execute commands under the server uid, and because
the uid is allowed to access any user directory you potentially can
get something
from there. it's easy to solve , don't give users exec permission, but I would
like to allow them to execute what they want somehow

question: is there a way, before executing an external process switch
to a different uid
(something similar to apache suexec, or perhaps something like uid per <host>)?

2. for each vhost "/manager" context is created (inside <host
name="vhost">) with
its own users database and so on. when one deploys his applications
they belong to
the server uid (files owner), from #1 it means that anyone who is able
to execute a shell script and get in to your directory can delete or
alter your applications

question: is it possible to change files owner when you deploy an application or
when it's auto deployed (one way is - chmod +s /path/user/webappsdir, but
it allows user to have more then readonly on apps files, it doesn't
prevent cases
described in #1)

it's not dangerous when you don't give permission to execute external processes



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message