tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Some security-related questions / enhancements for the Windows Installer
Date Thu, 19 Dec 2013 16:16:46 GMT
Konstantin Preißer wrote:
> Sorry for the spam...
>> -----Original Message-----
>> From: Konstantin Preißer []
>> Sent: Wednesday, December 18, 2013 8:00 PM
>> To: 'Tomcat Users List'
>> Subject: RE: Some security-related questions / enhancements for the
>> Windows Installer
>>> -----Original Message-----
>>> From: Konstantin Preißer []
>>> Sent: Wednesday, December 18, 2013 6:24 PM
>>>> - the user group "Administrators" is the name in English.  In other locales,
>> it
>>> is
>>>> different (French : Administrateurs; German : Administratoren; Spanish:
>>>> Administratores,
>>>> etc.). That can be overcome, but also would complicate the installer.
>>> OK, but I'd think there is a way to use non-local names when modifying file
>>> ACLs (or at least get the localized name).
>> It works e.g. with icacls.exe, but I haven't tried WinAPIs.
>> I was able to grant the "NetworkService" user full access to the folder
>> "C:\testfolder" and subdirectories/files with any of the following commands
>> (on a german Windows Server 2012 R2):
>> 1) icacls testfolder /grant NetworkService:(OI)(CI)(F)
>> 2) icacls testfolder /grant *S-1-5-20:(OI)(CI)(F)
>> 3 icacls testfolder /grant Netzwerkdienst:(OI)(CI)(F)
>> 1) uses the non-local name "NetworkService".
>> 2) uses the numeric SID for NetworkService as described at [1] which is
>> identical on each windows system. However, this SID is only available since
>> Windows Vista and Server 2008.
> Sorry, that was wrong - I misread the "Note Added in Windows Vista and Windows Server
2008" description, it belongs to another SID.
> The SID S-1-5-20 for the NetworkService (and related SIDs) also work in Windows Server
>> 3) uses a localized account name.
>> So I think localized account names shouldn't be an issue for the installer (but
>> I'm nut sure running icacls.exe is the best way for an Installer to set file
>> permissions - I haven't checked how that works e.g. with WinAPIs).
>> Note however, that using "Administrators" with icacls.exe didn't work for me
>> (the localized name "Administratoren" worked), but the numeric SID of
>> Administrators, S-1-5-32-544, did work.
> It also did not work for me with "Local Service", whereas "S-1-5-19" or "Lokaler Dienst"
>> [1]

In the meantime, I checked on my (venerable and also German) Windows XP SP3 laptop, and 
the LocalService and NetworkService accounts also exist indeed, although under the names
"NETZWERKDIENST" and "LOKALER DIENST" (as written, capitals and all).  So Jeffrey was 
right, but you'd probably need to use their SID and find out the non-localised names.

I attach a screenshot of the dialog under XP, changing the startup user of the Tomcat 6 
service to start under "LOKALER DIENST".  The list will probably skip it, but I copied you

directly too.
(The funny thing is that it tends to imply that the account "LOKALER DIENST" under XP, 
does not by default have the permissions required to run a local service..)

It could even be started and stopped, without any further file permissions changes :

[2013-12-19 17:07:34] [info] Procrun ( started
[2013-12-19 17:07:34] [info] Running Service...
[2013-12-19 17:07:34] [info] Starting service...
[2013-12-19 17:07:45] [info] Service started in 11500 ms.
[2013-12-19 17:07:58] [info] Stopping service...
[2013-12-19 17:08:00] [info] Service stopped.
[2013-12-19 17:08:00] [info] Run service finished.
[2013-12-19 17:08:00] [info] Procrun finished.

So personally too, I think it may be a good idea to install Tomcat as "LocalService" 
rather than "LocalSystem" in the future.
If only because it reduces the permissions of Tomcat, and thus theoretically the 
possibility of mischief by Tomcat apps.

View raw message