Hi,
I want to secure a tomcat I have been setting up as a heartbeat
resource.
Because I lack any tomcat knowledge (only have the docs at my
sight)
first I was simply comparing how other tomcats of around were set
up.
But that only left me shudder as I seemed to glimpse into a
gaping security abyss.
Well for intranet usage this remotely might be passable.
First I wondered why they were started as root process.
For an Apache webserver this is plausible to me since there is a
User directive
(which is usually set to www, nobody or similar).
Apache starts as root process because it needs to bind its
listening socket to a priviledged port
and open handles to logfiles, pipes, unix sockets etc. that
usually reside in root-only-writable dirs.
But it spawns child procs for servicing all clients as User.
However, with Tomcat (owe to its threading nature?) things seem
quite different.
I first tried to run the catalina.sh by prepending a "su tomcat"
in my wrapper script
after having created a locked tomcat account with nologin as
login shell,
exactly like the apache account was set up.
(n.b. this is on a Linux box, as can be seen)
(because locked and passwordless no need to conceal the shadow
entries here)
# egrep apache\|tomcat /etc/{passwd,shadow}
/etc/passwd:apache:x:48:48:Apache:/var/www/apache:/sbin/nologin
/etc/passwd:tomcat:x:49:48:Tomcat:/var/www/tomcat:/sbin/nologin
/etc/shadow:apache:!!:13172::::::
/etc/shadow:tomcat:!!:13185::::::
Although this works fine for Apache webserver
# ps -o user,pid,ppid,tty,stime,comm -C httpd
USER PID PPID TT STIME COMMAND
root 22072 1 ? 10:02 httpd
apache 22074 22072 ? 10:02 httpd
apache 22075 22072 ? 10:02 httpd
apache 22076 22072 ? 10:02 httpd
apache 22077 22072 ? 10:02 httpd
apache 22078 22072 ? 10:02 httpd
apache 22079 22072 ? 10:02 httpd
apache 22080 22072 ? 10:02 httpd
apache 22081 22072 ? 10:02 httpd
this won't work for Tomcat
# su tomcat "$CATALINA_HOME/bin/catalina.sh start"
This account is currently not available.
If I simply leave the login shell undefined
# usermod -s "" tomcat
# grep tomcat /etc/passwd
tomcat:x:49:48:Tomcat:/var/www/tomcat:
and do the su
# su tomcat -c "$CATALINA_HOME/bin/catalina.sh start"
Using CATALINA_BASE: /var/www/tomcat/5.5.15
Using CATALINA_HOME: /var/www/tomcat/5.5.15
Using CATALINA_TMPDIR: /var/www/tomcat/5.5.15/temp
Using JRE_HOME: /usr/java/jre1.5.0_06
touch: cannot touch `/var/www/tomcat/5.5.15/logs/catalina.out':
Permission denied
/var/www/tomcat/5.5.15/bin/catalina.sh: line 249:
/var/www/tomcat/5.5.15/logs/catalina.out: Permission denied
tomcat naturally lacks write access to the logs dir.
Well I could simply chown to tomcat for that dir
but I wouldn't consider this desirable.
The Apache webserver preforking mechanism is much more
favourable.
Besides, logfiles and similar should only be readable by root.
Even if I set write access the immediately following question
would be,
to what other dirs Tomcat required write access too.
I also read about the Security Manager in the Tomcat docs
(Security Manager Howto),
and the -security switch one could pass to catlina.sh.
But here I am unfimiliar with the proper format of
$CATALINA_HOME/conf/catalina.policy.
Is Security Manager the preferred method to have Tomcat run in a
sandbox?
What policy options would one have to be especially careful
about?
Is there such thing as a chroot mechanism available for Tomcat?
Regards
Ralph
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
