DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22405>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22405 warn if not deploy with umask "0077" or if deployed as "root" and provide tutorial URL "Secure deployment" [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[EMAIL PROTECTED] Summary|deploy as 700 and additional|warn if not deploy with |attribute to be less |umask "0077" or if deployed |restrictive |as "root" and provide | |tutorial URL "Secure | |deployment" ------- Additional Comments From [EMAIL PROTECTED] 2003-08-14 14:12 ------- Ok, I might have misunderstood somebody such that I thought that tomcat only runs under root which it obviously does not (I tested it now; and yes, even before this post, I did use sudo). In order to avoid novices like myself falling into these traps, I suggest the following 3 enhancements: 1) warn if tomcat sees itself running as "root" and print a tutorial URL into catalina.out 2) warn if tomcat sees its umask as being other than ***7 (i.e. if its output is world-readable) and print the same tutorial URL 3) create the tutorial page how to deploy securely (I am happy to be the first tester/contributor there!) Re: how to set owners/permissions from inside Java --> a quick google search yielded the following (untested) results http://www.aoindustries.com/docs/aocode-public/com/aoindustries/io/unix/UnixFile.html http://www.xenonsoft.demon.co.uk/products/javaunix/docs/api/javaunix/io/UnixFile.html Former "Summary: deploy as 700 and additional attribute to be less restrictive" Further safeguard ideas to achieve secure deployment out of the Java-oriented world (tomcat/ant) are described in http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22370 and http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22417 . --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
