tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Some security-related questions / enhancements for the Windows Installer
Date Wed, 18 Dec 2013 15:28:06 GMT
Konstantin Preißer wrote:
> Hi,
> 
> while I normally only use the .zip distributions of Tomcat, I just had a look at the
Windows Service Installer for Tomcat 8.0.0-RC9.
> 
> There are some points related to security which I noticed that could be improved:
> 
> 1) When installing Tomcat with the Windows Service Installer, it installs by default
in "%ProgramFiles%\Apache Software Foundation\Tomcat 8.0". A problem that I see here is that
this directory is intended to be the place for binaries of programs that every user which
has an account on this Windows installation should be able to use. However, by default, Tomcat
places not only binaries, but also data (conf, logs, webapps, work, temp) in this directory
(I think it's possible to run Tomcat with a different data directory by setting a different
CATALINA_BASE env, but the Installer doesn't seem to do this).
> 
> This means e.g. if you have some passwords in your Tomcat config, every other user on
the server will be able to read them (or, webapp binaries which you place in the webapps directory,
etc.).
> Of course, a user which installs a program on the server should know how to secure the
data, but I think a Installer should make sure that by default, everything is secure.
> 
> So, in this case maybe it could display an option to automatically adjust file permissions,
and if it is selected, adjust the directory ACLs of the "Tomcat 8" directory to only allow
full access for "NT AUTHORITY\SYSTEM" and "BUILTIN\Administrators", but don't allow read access
for ordinary users.
> (For Example, if you install Microsoft SQL Server 2012, it will place binaries and data
files into C:\Program Files\Microsoft SQL Server, but the setup adjusts the permissions for
the DATA directory so that ordinary users can't access it.)
> 
> 
> 2) By default, the installer sets the Tomcat Service to run under the LocalSystem account
which as administrative privileges.
> 
> Normally, Tomcat shouldn't run as root/Administrator user for security reasons. I think
an alternative would be to run as NetworkService which is a user that exists by default and
doesn't have administrative privileges (i.e. it has only normal user rights) [1].
> AFAIK, this user can only be used for run services, but it cannot be used with things
like the "runas" command so every other user will not be able to access data with NetworkUser
privileges. (This is also done e.g. by VisualSVN Server - it runs as NetworkService.)
> 
> Note that in this case, if 1) is applied, the installer would need to additionally give
full access to the NetworkService for the "Tomcat 8" directory.
> 
> 
> 3) When running the installer, it asks for the Server Shutdown port which has a value
of "8005" by default. However, when running Tomcat as a service, the shutdown port is not
needed as the daemon service wrapper implements the logic to shutdown Tomcat. Shouldn't the
shutdown port in this case automatically set to "-1" to disable it, for security reasons?
Otherwise other users would be able to shutdown Tomcat by connecting to the shutdown port.
> 
> 
> What do you think?
> 
> 
> [1] http://msdn.microsoft.com/en-us/library/windows/desktop/ms684272%28v=vs.85%29.aspx
> 
> 

Konstantin,

while I am not saying that you are wrong in the principle, there are nevertheless some 
additional considerations :
- Tomcat installs as "LocalSystem", not as "Administrator". It is not really the same as 
"Administrator".
- the LocalSystem account has extensive privileges on the local machine, but it is not a 
domain account and thus has no access to any (Windows) network resources.  Users cannot 
login as "LocalSystem" nor switch to that account.
- the LocalService and NetworkService may indeed by better choices nowadays, under recent

versions of Windows Server.  But these accounts do not necessarily exist on either older 
Windows versions and/or on Windows workstations.  Tomcat is free open-source software, 
which often gets installed on older Windows versions or developer workstations, so this 
would complicate the installer, if nothing else.
- the user group "Administrators" is the name in English.  In other locales, it is 
different (French : Administrateurs; German : Administratoren; Spanish: Administratores, 
etc.). That can be overcome, but also would complicate the installer.
- in environments where access to the Tomcat directories may be sensitive, one would 
usually be talking about "server" computers.  To have access to the "Program Files" 
directory of such a server, the user would need to be able to login locally to the server

first (that directory is not normally "shared" in the network).
I would argue that if normal users can do that, you have bigger security issues than 
access to the Tomcat conf directory.
- the shutdown port, as far as I remember, is only accessible from "localhost". So in 
order to send a shutdown command, a user would first have to be logged-in on the server 
directly. See previous point.
- the Tomcat webapps directory is also not normally accessible from outside of the server.

  To install applications, one can use the Manager, which is protected by Tomcat security.

I am sure that others will come up with other such administrivia.

The Tomcat Windows Installer is not perfect (what ever is?), but it is mercifully simple,

and allows Tomcat to be installed easily on most Windows platforms.
It could maybe offer an additional option at the beginning, to choose a "more secure" 
installation, with its "conf" sub-directory only accessible by local Administrators e.g.
But more options means more complexity means more possibilities of screwing up and more 
help needed for novice installers.  So there is a trade-off somewhere.

As M.E. would say, "just my 2 cents"..

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message