tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <kpreis...@apache.org>
Subject RE: Some security-related questions / enhancements for the Windows Installer
Date Sun, 22 Dec 2013 14:08:37 GMT
Hi André,

thanks for your reply.

> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com]
> Sent: Thursday, December 19, 2013 5:17 PM
> To: Tomcat Users List; kpreisser@apache.org
> Subject: Re: Some security-related questions / enhancements for the
> Windows Installer

<snip>

> Hi.
> In the meantime, I checked on my (venerable and also German) Windows XP
> SP3 laptop, and
> the LocalService and NetworkService accounts also exist indeed, although
> under the names
> "NETZWERKDIENST" and "LOKALER DIENST" (as written, capitals and all).  So
> Jeffrey was
> right, but you'd probably need to use their SID and find out the non-localised
> names.
> 
> I attach a screenshot of the dialog under XP, changing the startup user of the
> Tomcat 6
> service to start under "LOKALER DIENST".  The list will probably skip it, but I
> copied you
> directly too.
> (The funny thing is that it tends to imply that the account "LOKALER DIENST"
> under XP,
> does not by default have the permissions required to run a local service..)

Thanks, I recevced it. This message also showed on my system (Server 2012 R2) when changing
the user to Local Service.
> 
> It could even be started and stopped, without any further file permissions
> changes :
> 
> [2013-12-19 17:07:34] [info] Procrun (2.0.6.0) started
> [2013-12-19 17:07:34] [info] Running Service...
> [2013-12-19 17:07:34] [info] Starting service...
> [2013-12-19 17:07:45] [info] Service started in 11500 ms.
> [2013-12-19 17:07:58] [info] Stopping service...
> [2013-12-19 17:08:00] [info] Service stopped.
> [2013-12-19 17:08:00] [info] Run service finished.
> [2013-12-19 17:08:00] [info] Procrun finished.
> 
> So personally too, I think it may be a good idea to install Tomcat as
> "LocalService"
> rather than "LocalSystem" in the future.
> If only because it reduces the permissions of Tomcat, and thus theoretically
> the
> possibility of mischief by Tomcat apps.

I also could start Tomcat when changing the user of the service to "Local Service", however
without any further file permission changes, Tomcat has no write access to its directory preventing
it from working correctly (e.g. it cannot write log files, and Jasper shows "HTTP Status 500
- java.lang.IllegalStateException: No output folder" errors).

So, if Tomcat is set up to run on an non-administrative account like Local Service, one must
ajust the file permissions so that this user has full access to the Tomcat directory.

I have not yet looked into how the build of the installer works (res/Tomcat.nsi) (e.g. if
it has an option to change file permissions, or if one would need to run icacls.exe directly),
and if its possible to specify the user under wich Tomcat should run (as I guess the installation
of the service is done by Commons Daemon).


Regards,
Konstantin Preißer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message