Bug#532284: Permissions for tomcat6
Ludovic Claude
ludovic.claude at laposte.net
Wed Aug 19 14:23:52 UTC 2009
Hello Thierry,
Well that sounds well argumented, in particular the issue of permissions
for /etc/tomcat6.
Do you recommend reverting permissions in /etc/tomcat6 to root:root 640?
In any case, such security issues should have been well documented in
the package, to prevent ignorant maintainers (me!) from messing up with
those sensitive issues.
Ludovic
Thierry Carrez a écrit :
> I'm not sure it's a good change. When I worked on tomcat6 packaging, I
> changed the permissions used in tomcat5.5 on purpose.
>
> /etc/tomcat6:
>
> This was set to root:root 644, with two exceptions:
> - tomcat-users.xml that needs to be read by tomcat and hidden to users,
> so it is root:tomcat6 640
> - Catalina directory that should allow autodeploy of new contexts by
> tomcat, so it is root:tomcat6 775
>
> The idea behind this was to specifically *exclude* the tomcat6 user from
> messing with key configuration files like server.xml or
> tomcat-users.xml, and it is a security measure against any traversal by
> the tomcat6 user.
>
> Your argument is that "you need to be root to configure Tomcat". Well,
> this mimics what is done for every other daemon out there: allow root to
> configure it, and do not allow the user the daemon is run under to
> modify its own configuration. See /etc/apache2 for an example of this.
>
> /var/lib/tomcat6/webapps:
>
> This was set to 775 root:tomcat6 so that tomcat can autodeploy
> applications. Additionally, members of the tomcat6 group are also
> allowed to deploy applications.
>
> Changing that to tomcat6:adm just transfers that capability from the
> "tomcat6" group to the "adm" group. Looks like we lose some granularity,
> and I fail to see why adding users to the tomcat6 group "does not look
> like a good idea". But I can live with that :)
>
More information about the pkg-java-maintainers
mailing list