tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rusty Wright <rusty.wri...@gmail.com>
Subject Re: running tomcat with root user.....umask in jsvc?
Date Tue, 03 Feb 2009 04:02:21 GMT
If you have control of the mode of the directory where the files are placed you may find the
sticky bit helpful for propagating stuff down the treee:

  http://www.dartmouth.edu/~rc/help/faq/permissions.html


epicwinter@hotmail.com wrote:
> 
> 
>> Date: Mon, 2 Feb 2009 22:00:24 +0100
>> From: aw@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: running tomcat with root user.....umask in jsvc?
>>
>> epicwinter@hotmail.com wrote:
>>> That is a possible solution.  There is a fairly heavy amount of files uploaded
from many different users so it would mean a lot of configuration and a lot of maintenance
to that config as i add new users.  So I am trying to avoid the operating system chmod commands
in my code.  
>> I don't really like that either, and it does break if you ever (yuk) 
>> would decide to run your code on some other platform.
>>
>>> If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix
the problem but i think this is setting that umask for more than just tomcat so i am not sure
how safe that is.
>> As far as I can tell, it would only change the umask for the current 
>> process (the shell executing your startup script) and all its offsprings 
>> (jsvc, tomcat).  But it will do it for *everything* that these processes 
>> do (such as creating temporary files, logfiles, etc..).  That may indeed 
>> not be very secure. For instance, one thing which Tomcat to my knowledge 
>> does (if you have not disabled it) is to rewrite the "conf/users.xml" 
>> file each time it starts up (or stops ?).  That particular file is not 
>> essential, and maybe Tomcat does not do that anymore in recent versions, 
>> but there might be other such things lurking around unexpectedly.
>>
> That was my concern, I think it is a very mild security concern but still an issue nonetheless.
 Since the tomcat user doesn't have shell access or root access I can't see it being a big
issue, it would be nice if you could set the umask for just the class loader or running java
process.
> 
>> I'm still a bit curious about how you did organise the upload 
>> directories and their rights and groups etc.. finally, because you want 
>> this one Tomcat user to be able to write into upload directories owned 
>> originally by other users, right ? Or at least, you want these other 
>> users afterward to have access to these files somehow.
>> So you must have established some common group or groups between the 
>> Tomcat user, and these other users, right ?
>> I am just wondering if by doing this, you have not "weakened" the 
>> general protection of all that stuff.
>>
> You got it.  Here is how i have it set up  let me know what you think:
> I created a shared group :
> groupadd sharedgroup
> Then i changed it so all my users were members of this group:
> usermod -g sharedgroup tomcat
> usermod -g sharedgroup jaileduser1
> 
> usermod -g sharedgroup jaileduser2 ...etc
> 
> Then I found some settings in the jailkit ( http://olivier.sessink.nl/jailkit/ ) that
allow for the jailed users to have group read/write permissions:
> in /etc/jailkist/jk_chrootsh.ini
> relax_home_group=1
> relax_home_group_permissions=1
> relax_home_other_permissions=1
> 
> Then in the jail jk_lsh.ini i set up the umask for the shared group:
> 
> [group sharedgroup]
> paths= /usr/bin, /usr/lib/
> executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
> umask= 002
> 
> Finally I added the umask 002 line to my tomcat startup script
> 
> The external jailed users only have sftp access and aren't able to move outside their
home directories.  Since the jailed user shares a group with tomcat they can all incestially
read and write files to these home directories and since the umask is set the permissions
are retained as new directories are created and so forth.
> 
> What do you think?
>  
>> I had a quite similar case to resolve not so long ago (with Apache, not 
>> Tomcat), and only ended up with ACLs after being forced to use them, 
>> because no other solution would really provide the security I wanted.
>>
> Yeah the ACLs look very effective but like yourself i am trying to avoid extra complications
> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> _________________________________________________________________
> Windows Live™ Hotmail®…more than just e-mail. 
> http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message