tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <kpreis...@apache.org>
Subject Some security-related questions / enhancements for the Windows Installer
Date Wed, 18 Dec 2013 14:17:59 GMT
Hi,

while I normally only use the .zip distributions of Tomcat, I just had a look at the Windows
Service Installer for Tomcat 8.0.0-RC9.

There are some points related to security which I noticed that could be improved:

1) When installing Tomcat with the Windows Service Installer, it installs by default in "%ProgramFiles%\Apache
Software Foundation\Tomcat 8.0". A problem that I see here is that this directory is intended
to be the place for binaries of programs that every user which has an account on this Windows
installation should be able to use. However, by default, Tomcat places not only binaries,
but also data (conf, logs, webapps, work, temp) in this directory (I think it's possible to
run Tomcat with a different data directory by setting a different CATALINA_BASE env, but the
Installer doesn't seem to do this).

This means e.g. if you have some passwords in your Tomcat config, every other user on the
server will be able to read them (or, webapp binaries which you place in the webapps directory,
etc.).
Of course, a user which installs a program on the server should know how to secure the data,
but I think a Installer should make sure that by default, everything is secure.

So, in this case maybe it could display an option to automatically adjust file permissions,
and if it is selected, adjust the directory ACLs of the "Tomcat 8" directory to only allow
full access for "NT AUTHORITY\SYSTEM" and "BUILTIN\Administrators", but don't allow read access
for ordinary users.
(For Example, if you install Microsoft SQL Server 2012, it will place binaries and data files
into C:\Program Files\Microsoft SQL Server, but the setup adjusts the permissions for the
DATA directory so that ordinary users can't access it.)


2) By default, the installer sets the Tomcat Service to run under the LocalSystem account
which as administrative privileges.

Normally, Tomcat shouldn't run as root/Administrator user for security reasons. I think an
alternative would be to run as NetworkService which is a user that exists by default and doesn't
have administrative privileges (i.e. it has only normal user rights) [1].
AFAIK, this user can only be used for run services, but it cannot be used with things like
the "runas" command so every other user will not be able to access data with NetworkUser privileges.
(This is also done e.g. by VisualSVN Server - it runs as NetworkService.)

Note that in this case, if 1) is applied, the installer would need to additionally give full
access to the NetworkService for the "Tomcat 8" directory.


3) When running the installer, it asks for the Server Shutdown port which has a value of "8005"
by default. However, when running Tomcat as a service, the shutdown port is not needed as
the daemon service wrapper implements the logic to shutdown Tomcat. Shouldn't the shutdown
port in this case automatically set to "-1" to disable it, for security reasons? Otherwise
other users would be able to shutdown Tomcat by connecting to the shutdown port.


What do you think?


[1] http://msdn.microsoft.com/en-us/library/windows/desktop/ms684272%28v=vs.85%29.aspx


Thanks & Regards,
Konstantin Preißer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message