tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien Terrestris <aterrest...@gmail.com>
Subject Re: Security Best Practices on Windows Service
Date Thu, 06 Nov 2014 12:46:22 GMT
>In my previous employment, we did that.  Create a local user account and
set permissions to the Tomcat installation directory and optional
CATALINA_BASE (if you separated them).

I agree with this (done hundreds of times), and you can set rights
with xcacls. However this reminds us that usually the webapps
directory must be writable for auto-deployment, as are temp, work and
even conf (uploading of META-INF/context.xml to conf/Catalina)
directories.
This is good but not sufficient for complete security. For example,
one still could exploit a vulnerability and introduce jsps of his own.
Of course this jsp could not write outside anything of TOMCAT_BASE,
but your website could be defaced or give a backdoor to a database.

2014-11-05 21:19 GMT+01:00 Leo Donahue <donahulf2@gmail.com>:
> On Wed, Nov 5, 2014 at 1:34 PM, Igal @ getRailo.org <igal@getrailo.org>
> wrote:
>
>> hi,
>>
>> what are the security best practices for running Tomcat as a Windows
>> Service?
>>
>> is the local system account safe
>
>
> Define safe.  LocalSystem has too many privs that a Tomcat service account
> doesn't need in my opinion.
>
> or am I better off creating a new user
>> and giving it write permissions only to the Tomcat runtime folders and
>> read permissions to the web contents folder?
>>
>>
> In my previous employment, we did that.  Create a local user account and
> set permissions to the Tomcat installation directory and optional
> CATALINA_BASE (if you separated them).  We did not use domain accounts for
> the Tomcat service account because the Tomcat service account did not need
> access to network resources in our setup.  Create a strong password.
>
> Leo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message