Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5E83A187F3 for ; Thu, 3 Dec 2015 14:29:13 +0000 (UTC) Received: (qmail 54782 invoked by uid 500); 3 Dec 2015 14:29:09 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 54720 invoked by uid 500); 3 Dec 2015 14:29:09 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 54709 invoked by uid 99); 3 Dec 2015 14:29:09 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Dec 2015 14:29:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 3406AC462B for ; Thu, 3 Dec 2015 14:29:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.001 X-Spam-Level: * X-Spam-Status: No, score=1.001 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id aAMjyZ1QX9jt for ; Thu, 3 Dec 2015 14:28:59 +0000 (UTC) Received: from vms173023pub.verizon.net (vms173023pub.verizon.net [206.46.173.23]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 1524A21231 for ; Thu, 3 Dec 2015 14:28:58 +0000 (UTC) Received: from Christophers-MacBook-Pro.local ([71.127.40.115]) by vms173023.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0NYS008HRDJOCQJ0@vms173023.mailsrvcs.net> for users@tomcat.apache.org; Thu, 03 Dec 2015 08:28:36 -0600 (CST) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=Nc0brD34 c=1 sm=1 tr=0 a=tVXBnewmVzifmTgg5+7jYA==:117 a=-57I09spAAAA:8 a=oR5dmqMzAAAA:8 a=IkcTkHD0fZMA:10 a=wUQvQvOEmiQA:10 a=JwtR3fAo5g01NEwQ5XMA:9 a=QEXdDO2ut3YA:10 Subject: Re: Tomcat log files - Strict permissions - setuid To: Tomcat Users List References: From: Christopher Schultz Message-id: <56605194.2020905@christopherschultz.net> Date: Thu, 03 Dec 2015 09:28:36 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-version: 1.0 In-reply-to: Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7bit Andres, On 12/3/15 8:42 AM, Andres Riancho wrote: > List, > > I'm trying to secure my tomcat instances. One of the steps I took > was to run the tomcat process using the non-privileged "tomcat" user, > and set the file system permissions as restrictive as possible. It all > works well, but there is something missing: "The tomcat user is able > to read the access log files": > > root@7083cdc8e2fc:/apps/tomcat/logs# ls -la > ... > -rw-rw---- 1 tomcat tomcat 0 Dec 1 19:46 0.0.0.0_access_log.2015-12-01.txt > > Is there any way to configure tomcat to be able to write to the > access log file, but have the file owned by root with permissions 600? > I understand that this is done by starting the tomcat process as root > and then dropping privileges using setuid() , but was unable to find > something already built / well documented. How do you launch Tomcat? If you use the scripts, you could use something like bin/setenv.sh to check the permissions of the log files and refuse to start if they aren't the way you want them. For files that don't already exist, you'll have to refuse to start if they don't exist, because a process can't create a new file owned by another user. You'd have to disable file-rotation because of the same problem. Are you more worried about a hostile web application running within your server, a hostile remote user, a vulnerability in a web application, or a vulnerability in Tomcat? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org