FAQ

[Tomcat-users] running tomcat with root user

Epicwinter
Feb 1, 2009 at 3:25 am
I have the latest tomcat 6 installed under centos 5.2. The problem I am having is that it appears that I have to run tomcat as root user, because the spring app that tomcat starts needs to write files to other users' home directories. The tomcat user doesn't have access to these directories.

I tried making these users part of a shared group, but to complicate the problem the users are jailed using jailkit. So it doesn't appear that jailkit lets me add group write privileges to the home directories and maintain a working jail.

Can anyone suggest another alternative? I am not linux user expert so maybe there is an obvious solution i am missing?
thanks




_________________________________________________________________
Windows Live™ Hotmail®…more than just e-mail.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
reply

Search Discussions

18 responses

  • André Warnier at Feb 1, 2009 at 10:09 am

    epicwinter@hotmail.com wrote:
    I have the latest tomcat 6 installed under centos 5.2. The problem I am having is that it appears that I have to run tomcat as root user, because the spring app that tomcat starts needs to write files to other users' home directories. The tomcat user doesn't have access to these directories.

    I tried making these users part of a shared group, but to complicate the problem the users are jailed using jailkit. So it doesn't appear that jailkit lets me add group write privileges to the home directories and maintain a working jail.

    Can anyone suggest another alternative? I am not linux user expert so maybe there is an obvious solution i am missing?
    If you are courageous, you could try using ACL's.
    One pre-requisite is that the filesystem type on which the users's
    directories are located, must support ACL. The other pre-requisite is
    that ACLs be actually enabled on that filesystem. This has to do with
    the "mount" command that mounts the filesystem.
    I am no specialist myself, and you'll have to get some help from a Linux
    forum for that.
    The next part is to understand the commands that deal with ACL's, and
    that is why I said that you have to be courageous. They are not for the
    faint-hearted.
    Try :
    man setfacl
    man getfacl

    Very briefly :
    ACL = Access Control List
    They are a possibility to set access permissions to files and
    directories, in a more detailed and flexible way than Unix usual
    "rwxrwxrwx"-style permissions.
    You can have a directory belonging to user X and group Y, but still
    allow users of group Z (e.g. Tomcat) to write to it.

    All of the above of course may or may not be compatible with the "jail"
    you are mentioning. I make no guarantees there.
    And otherwise, you'll have to run Tomcat as root and that's it.


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Epicwinter at Feb 1, 2009 at 7:37 pm

    Date: Sun, 1 Feb 2009 11:04:10 +0100
    From: aw@ice-sa.com
    To: users@tomcat.apache.org
    Subject: Re: running tomcat with root user

    epicwinter@hotmail.com wrote:
    I have the latest tomcat 6 installed under centos 5.2. The problem I am having is that it appears that I have to run tomcat as root user, because the spring app that tomcat starts needs to write files to other users' home directories. The tomcat user doesn't have access to these directories.

    I tried making these users part of a shared group, but to complicate the problem the users are jailed using jailkit. So it doesn't appear that jailkit lets me add group write privileges to the home directories and maintain a working jail.

    Can anyone suggest another alternative? I am not linux user expert so maybe there is an obvious solution i am missing?
    If you are courageous, you could try using ACL's.
    One pre-requisite is that the filesystem type on which the users's
    directories are located, must support ACL. The other pre-requisite is
    that ACLs be actually enabled on that filesystem. This has to do with
    the "mount" command that mounts the filesystem.
    I am no specialist myself, and you'll have to get some help from a Linux
    forum for that.
    The next part is to understand the commands that deal with ACL's, and
    that is why I said that you have to be courageous. They are not for the
    faint-hearted.
    Try :
    man setfacl
    man getfacl

    Very briefly :
    ACL = Access Control List
    They are a possibility to set access permissions to files and
    directories, in a more detailed and flexible way than Unix usual
    "rwxrwxrwx"-style permissions.
    You can have a directory belonging to user X and group Y, but still
    allow users of group Z (e.g. Tomcat) to write to it.

    All of the above of course may or may not be compatible with the "jail"
    you are mentioning. I make no guarantees there.
    And otherwise, you'll have to run Tomcat as root and that's it.


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    Thanks for the reply and suggestion , i am doing some heavy reading right now on ACLs. Very interesting, looks like a possible solution. I am doing this on a remote server with one drive so I am a little nervous about making these changes and seeing if it comes back up. I am also concerned if there would be a performance hit. I really wish there was a simpler solution. I wonder how insecure it really would be to run tomcat as root or if there was a way to make it "more" secure


    _________________________________________________________________
    Windows Live™: E-mail. Chat. Share. Get more ways to connect.
    http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009
  • André Warnier at Feb 1, 2009 at 8:19 pm

    epicwinter@hotmail.com wrote:

    Thanks for the reply and suggestion , i am doing some heavy reading right now on ACLs. Very interesting, looks like a possible solution. I am doing this on a remote server with one drive so I am a little nervous about making these changes and seeing if it comes back up. I am also concerned if there would be a performance hit. I really wish there was a simpler solution. I wonder how insecure it really would be to run tomcat as root or if there was a way to make it "more" secure
    As far as I know, Tomcat itself is very secure and unlikely to do
    dangerous things by itself. The problem is more at the level of
    non-Tomcat code which you are going to add to it. If there is a bug in
    that code, well now you will be running that code as root, which means
    that there will be little to constrain it if it decides to overwrite
    /etc/passwd.

    You could always constrain that code a bit, and activate the "security
    manager" in the JVM that is running Tomcat. I am no great specialist
    (nor of Tomcat nor of Java by the way), but as far as I know, that is
    the kind of situation where the java security manager should help, and
    it is normally already configured and only needs to be activated.
    I don't recall where you got your Tomcat from, but if you are under
    Linux and have used the platform package installer, chances are good
    that you will find a directory somewhere around /etc/tomcatx/conf.d (or
    policy.d), where you find some files having entries like :

    // These permissions apply to all shared system extensions when
    // ${java.home} points at $JAVA_HOME/jre
    grant codeBase "file:${java.home}/lib/ext/-" {
    permission java.security.AllPermission;
    };

    (the above by the way not being something to just copy)

    I believe you could use it to allow some specific webapps to write to
    specific places but not outside of that.
    That of course only works if you run Tomcat as root, it will not allow
    you to give the Tomcat user more rights than the OS allows to some
    filesystem place.




    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Peter Crowther at Feb 1, 2009 at 1:00 pm

    From: epicwinter@hotmail.com
    I have the latest tomcat 6 installed under centos 5.2. The
    problem I am having is that it appears that I have to run
    tomcat as root user, because the spring app that tomcat
    starts needs to write files to other users' home directories.
    The tomcat user doesn't have access to these directories.

    I tried making these users part of a shared group, but to
    complicate the problem the users are jailed using jailkit.
    So it doesn't appear that jailkit lets me add group write
    privileges to the home directories and maintain a working jail.

    Can anyone suggest another alternative? I am not linux user
    expert so maybe there is an obvious solution i am missing?
    Beyond Andre's solution of ACLs, there's another one that's more complex but might be more secure. It requires a slight shift in architecture.

    1) Run Tomcat as the tomcat user. Change the way it writes files, so that instead of writing to the user directory it writes the details to a queue that you have control over. That could be a database, or a chunk of filestore.

    2) Write a second daemon that runs as root, that reads the queue, does whatever checks you require so that it believes the queued requests are genuine, then writes the queued items to the users' directories.

    This reduces the attack surface of the system, in that tomcat's not running as root. You'd have to be careful with the security of the daemon and the queue but, if well-designed, the overall security may be better than running Tomcat as root.

    - Peter

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Epicwinter at Feb 1, 2009 at 7:39 pm

    From: Peter.Crowther@melandra.com
    To: users@tomcat.apache.org
    Date: Sun, 1 Feb 2009 12:59:33 +0000
    Subject: RE: running tomcat with root user
    From: epicwinter@hotmail.com
    I have the latest tomcat 6 installed under centos 5.2. The
    problem I am having is that it appears that I have to run
    tomcat as root user, because the spring app that tomcat
    starts needs to write files to other users' home directories.
    The tomcat user doesn't have access to these directories.

    I tried making these users part of a shared group, but to
    complicate the problem the users are jailed using jailkit.
    So it doesn't appear that jailkit lets me add group write
    privileges to the home directories and maintain a working jail.

    Can anyone suggest another alternative? I am not linux user
    expert so maybe there is an obvious solution i am missing?
    Beyond Andre's solution of ACLs, there's another one that's more complex but might be more secure. It requires a slight shift in architecture.

    1) Run Tomcat as the tomcat user. Change the way it writes files, so that instead of writing to the user directory it writes the details to a queue that you have control over. That could be a database, or a chunk of filestore.

    2) Write a second daemon that runs as root, that reads the queue, does whatever checks you require so that it believes the queued requests are genuine, then writes the queued items to the users' directories.

    This reduces the attack surface of the system, in that tomcat's not running as root. You'd have to be careful with the security of the daemon and the queue but, if well-designed, the overall security may be better than running Tomcat as root.

    - Peter

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    Peter- I am considering options like this, the problem which complicates my situation more is that the remote client accesses the files written immediately after they are written and I don't want to deal with timing issues of the daemon running before the client needs to access the files.

    _________________________________________________________________
    Windows Live™ Hotmail®:…more than just e-mail.
    http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_explore_012009
  • Brian Millett at Feb 1, 2009 at 1:38 pm

    On Sat, 2009-01-31 at 19:25 -0800, epicwinter@hotmail.com wrote:
    I have the latest tomcat 6 installed under centos 5.2. The problem I am having is that it appears that I have to run tomcat as root user, because the spring app that tomcat starts needs to write files to other users' home directories. The tomcat user doesn't have access to these directories.

    I tried making these users part of a shared group, but to complicate the problem the users are jailed using jailkit. So it doesn't appear that jailkit lets me add group write privileges to the home directories and maintain a working jail.

    Can anyone suggest another alternative? I am not linux user expert so maybe there is an obvious solution i am missing?
    thanks
    http://commons.apache.org/daemon/jsvc.html


    works great, less filling.

    --
    Brian Millett - [ Morden (to Londo), "Revelations"]
    "The Narns will never be able to prove it was done at your instigation.
    and, based on your promise to take care of it, your government accepts
    your responsibility without question or hesitation. Perfect symmetry.
    I believe that this little demonstration will bring you some very
    interesting propositions."
  • Peter Crowther at Feb 1, 2009 at 3:51 pm

    From: Brian Millett
    On Sat, 2009-01-31 at 19:25 -0800, epicwinter@hotmail.com wrote:
    I have the latest tomcat 6 installed under centos 5.2. The
    problem I am having is that it appears that I have to run
    tomcat as root user, because the spring app that tomcat
    starts needs to write files to other users' home directories.
    The tomcat user doesn't have access to these directories.
    I tried making these users part of a shared group, but to
    complicate the problem the users are jailed using jailkit.
    So it doesn't appear that jailkit lets me add group write
    privileges to the home directories and maintain a working jail.
    Can anyone suggest another alternative? I am not linux
    user expert so maybe there is an obvious solution i am missing?
    thanks
    http://commons.apache.org/daemon/jsvc.html
    Brian, how does this help the OP with their problem that the *application* needs to write to user directories?

    - Peter

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Rusty Wright at Feb 2, 2009 at 5:58 am
    Are you sure about the group write permissions? I glanced at the jailkit web page and it looks like it's sugar coating and chrome around a chroot. So I would think that using unix groups would work. And on the flip side, if unix groups don't work, it seems to me that ACLs wouldn't either.


    epicwinter@hotmail.com wrote:
    I have the latest tomcat 6 installed under centos 5.2. The problem I am having is that it appears that I have to run tomcat as root user, because the spring app that tomcat starts needs to write files to other users' home directories. The tomcat user doesn't have access to these directories.

    I tried making these users part of a shared group, but to complicate the problem the users are jailed using jailkit. So it doesn't appear that jailkit lets me add group write privileges to the home directories and maintain a working jail.

    Can anyone suggest another alternative? I am not linux user expert so maybe there is an obvious solution i am missing?
    thanks




    _________________________________________________________________
    Windows Live™ Hotmail®…more than just e-mail.
    http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Epicwinter at Feb 2, 2009 at 7:25 pm
    You are correct, I found a setting that relaxes the group access permissions on the jailkit.

    Now I just have one more problem. When tomcat creates files in these user directories I need the permissions to be set appropriately. What is the best way to set the umask value when running tomcat using jsvc?
    Date: Sun, 1 Feb 2009 21:58:11 -0800
    From: rusty.wright@gmail.com
    To: users@tomcat.apache.org
    Subject: Re: running tomcat with root user

    Are you sure about the group write permissions? I glanced at the jailkit web page and it looks like it's sugar coating and chrome around a chroot. So I would think that using unix groups would work. And on the flip side, if unix groups don't work, it seems to me that ACLs wouldn't either.


    epicwinter@hotmail.com wrote:
    I have the latest tomcat 6 installed under centos 5.2. The problem I am having is that it appears that I have to run tomcat as root user, because the spring app that tomcat starts needs to write files to other users' home directories. The tomcat user doesn't have access to these directories.

    I tried making these users part of a shared group, but to complicate the problem the users are jailed using jailkit. So it doesn't appear that jailkit lets me add group write privileges to the home directories and maintain a working jail.

    Can anyone suggest another alternative? I am not linux user expert so maybe there is an obvious solution i am missing?
    thanks




    _________________________________________________________________
    Windows Live™ Hotmail®…more than just e-mail.
    http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    _________________________________________________________________
    Windows Live™ Hotmail®…more than just e-mail.
    http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
  • André Warnier at Feb 2, 2009 at 7:52 pm

    epicwinter@hotmail.com wrote:
    You are correct, I found a setting that relaxes the group access permissions on the jailkit.

    Now I just have one more problem. When tomcat creates files in these user directories I need the permissions to be set appropriately. What is the best way to set the umask value when running tomcat using jsvc?
    That's a good question.
    I don't think jsvc would take any account of the Tomcat user's .profile
    file.
    ACLs would allow you to do that however :-)
    (Seriously, I believe you can set an ACL on the target directory that
    would make it so that when this particular user (Tomcat) creates a file
    there, it has by default a given set of permissions).
    Otherwise, you might have to do some kind of chmod from within your
    webapp itself, after it creates the file. I don't know what Java method
    that would be.


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • André Warnier at Feb 2, 2009 at 8:10 pm

    André Warnier wrote:
    epicwinter@hotmail.com wrote:
    You are correct, I found a setting that relaxes the group access
    permissions on the jailkit.
    Now I just have one more problem. When tomcat creates files in these
    user directories I need the permissions to be set appropriately. What
    is the best way to set the umask value when running tomcat using jsvc?
    That's a good question.
    I don't think jsvc would take any account of the Tomcat user's .profile
    file.
    ACLs would allow you to do that however :-)
    (Seriously, I believe you can set an ACL on the target directory that
    would make it so that when this particular user (Tomcat) creates a file
    there, it has by default a given set of permissions).
    Otherwise, you might have to do some kind of chmod from within your
    webapp itself, after it creates the file. I don't know what Java method
    that would be.
    Replying to myself : upon further reflection, I am not even sure that
    Java would have a method to do this, since it is supposed to be
    platform-independent, and setting filesystem permissions and group
    ownership is rather on the platform-dependent side.
    How often do such upload requests come in ? I'm thinking that if this is
    a single-platform solution, and file uploads don't come up tens per
    second at a time, it may be possible (though I also don't know how) to
    simply execute an OS-level command (chmod 0xxx filename; chgroup xxxxx
    filename) from within a Tomcat webapp, or a servlet filter that would
    run after the webapp.

    Otherwise, ACLs are complicated in terms of understanding the
    documentation of setfacl; but once you have it down, it is after all
    only a matter of running a single setfacl command once on each of your
    target directories. And it has the advantage of being done totally
    outside of your webapp, once and for all. It "sticks" to the directory,
    not to your code.



    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Epicwinter at Feb 2, 2009 at 8:44 pm
    That is a possible solution. There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users. So I am trying to avoid the operating system chmod commands in my code.
    If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.

    Date: Mon, 2 Feb 2009 21:05:15 +0100
    From: aw@ice-sa.com
    To: users@tomcat.apache.org
    Subject: Re: running tomcat with root user.....umask in jsvc?

    André Warnier wrote:
    epicwinter@hotmail.com wrote:
    You are correct, I found a setting that relaxes the group access
    permissions on the jailkit.
    Now I just have one more problem. When tomcat creates files in these
    user directories I need the permissions to be set appropriately. What
    is the best way to set the umask value when running tomcat using jsvc?
    That's a good question.
    I don't think jsvc would take any account of the Tomcat user's .profile
    file.
    ACLs would allow you to do that however :-)
    (Seriously, I believe you can set an ACL on the target directory that
    would make it so that when this particular user (Tomcat) creates a file
    there, it has by default a given set of permissions).
    Otherwise, you might have to do some kind of chmod from within your
    webapp itself, after it creates the file. I don't know what Java method
    that would be.
    Replying to myself : upon further reflection, I am not even sure that
    Java would have a method to do this, since it is supposed to be
    platform-independent, and setting filesystem permissions and group
    ownership is rather on the platform-dependent side.
    How often do such upload requests come in ? I'm thinking that if this is
    a single-platform solution, and file uploads don't come up tens per
    second at a time, it may be possible (though I also don't know how) to
    simply execute an OS-level command (chmod 0xxx filename; chgroup xxxxx
    filename) from within a Tomcat webapp, or a servlet filter that would
    run after the webapp.

    Otherwise, ACLs are complicated in terms of understanding the
    documentation of setfacl; but once you have it down, it is after all
    only a matter of running a single setfacl command once on each of your
    target directories. And it has the advantage of being done totally
    outside of your webapp, once and for all. It "sticks" to the directory,
    not to your code.



    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    _________________________________________________________________
    Windows Live™ Hotmail®:…more than just e-mail.
    http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_explore_012009
  • André Warnier at Feb 2, 2009 at 9:05 pm

    epicwinter@hotmail.com wrote:
    That is a possible solution. There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users. So I am trying to avoid the operating system chmod commands in my code.
    I don't really like that either, and it does break if you ever (yuk)
    would decide to run your code on some other platform.
    If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.
    As far as I can tell, it would only change the umask for the current
    process (the shell executing your startup script) and all its offsprings
    (jsvc, tomcat). But it will do it for *everything* that these processes
    do (such as creating temporary files, logfiles, etc..). That may indeed
    not be very secure. For instance, one thing which Tomcat to my knowledge
    does (if you have not disabled it) is to rewrite the "conf/users.xml"
    file each time it starts up (or stops ?). That particular file is not
    essential, and maybe Tomcat does not do that anymore in recent versions,
    but there might be other such things lurking around unexpectedly.

    I'm still a bit curious about how you did organise the upload
    directories and their rights and groups etc.. finally, because you want
    this one Tomcat user to be able to write into upload directories owned
    originally by other users, right ? Or at least, you want these other
    users afterward to have access to these files somehow.
    So you must have established some common group or groups between the
    Tomcat user, and these other users, right ?
    I am just wondering if by doing this, you have not "weakened" the
    general protection of all that stuff.

    I had a quite similar case to resolve not so long ago (with Apache, not
    Tomcat), and only ended up with ACLs after being forced to use them,
    because no other solution would really provide the security I wanted.


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Epicwinter at Feb 2, 2009 at 10:19 pm

    Date: Mon, 2 Feb 2009 22:00:24 +0100
    From: aw@ice-sa.com
    To: users@tomcat.apache.org
    Subject: Re: running tomcat with root user.....umask in jsvc?

    epicwinter@hotmail.com wrote:
    That is a possible solution. There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users. So I am trying to avoid the operating system chmod commands in my code.
    I don't really like that either, and it does break if you ever (yuk)
    would decide to run your code on some other platform.
    If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.
    As far as I can tell, it would only change the umask for the current
    process (the shell executing your startup script) and all its offsprings
    (jsvc, tomcat). But it will do it for *everything* that these processes
    do (such as creating temporary files, logfiles, etc..). That may indeed
    not be very secure. For instance, one thing which Tomcat to my knowledge
    does (if you have not disabled it) is to rewrite the "conf/users.xml"
    file each time it starts up (or stops ?). That particular file is not
    essential, and maybe Tomcat does not do that anymore in recent versions,
    but there might be other such things lurking around unexpectedly.
    That was my concern, I think it is a very mild security concern but still an issue nonetheless. Since the tomcat user doesn't have shell access or root access I can't see it being a big issue, it would be nice if you could set the umask for just the class loader or running java process.
    I'm still a bit curious about how you did organise the upload
    directories and their rights and groups etc.. finally, because you want
    this one Tomcat user to be able to write into upload directories owned
    originally by other users, right ? Or at least, you want these other
    users afterward to have access to these files somehow.
    So you must have established some common group or groups between the
    Tomcat user, and these other users, right ?
    I am just wondering if by doing this, you have not "weakened" the
    general protection of all that stuff.
    You got it. Here is how i have it set up let me know what you think:
    I created a shared group :
    groupadd sharedgroup
    Then i changed it so all my users were members of this group:
    usermod -g sharedgroup tomcat
    usermod -g sharedgroup jaileduser1

    usermod -g sharedgroup jaileduser2 ...etc

    Then I found some settings in the jailkit ( http://olivier.sessink.nl/jailkit/ ) that allow for the jailed users to have group read/write permissions:
    in /etc/jailkist/jk_chrootsh.ini
    relax_home_group=1
    relax_home_group_permissions=1
    relax_home_other_permissions=1

    Then in the jail jk_lsh.ini i set up the umask for the shared group:

    [group sharedgroup]
    paths= /usr/bin, /usr/lib/
    executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
    umask= 002

    Finally I added the umask 002 line to my tomcat startup script

    The external jailed users only have sftp access and aren't able to move outside their home directories. Since the jailed user shares a group with tomcat they can all incestially read and write files to these home directories and since the umask is set the permissions are retained as new directories are created and so forth.

    What do you think?
    I had a quite similar case to resolve not so long ago (with Apache, not
    Tomcat), and only ended up with ACLs after being forced to use them,
    because no other solution would really provide the security I wanted.
    Yeah the ACLs look very effective but like yourself i am trying to avoid extra complications
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    _________________________________________________________________
    Windows Live™ Hotmail®…more than just e-mail.
    http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
  • André Warnier at Feb 2, 2009 at 11:15 pm
    epicwinter@hotmail.com wrote:
    [...]
    I'm not a great security specialist, but your setup looks indeed safe
    enough, if the users are chrooted to their home directories.
    I can't imagine how they could break out and access things they shouldn't.

    Just one more question : how do you arrange to know who is uploading a
    file, and thus where to put it ?



    As a footnote : having a basic problem similar to yours (under Apache,
    not Tomcat), I ended up with a solution like this, implemented with
    Apache and mod_perl, but which should be also transposable to Tomcat
    with servlet filters and such :

    To allow users to upload their files, I implemented the standard DAV
    module in Apache (which also exists in Tomcat). This way, they can do
    drag-and-drop directly from within their Windows Explorer, to one
    directory structure on the server. And, I did not have to re-invent the
    wheel for uploading files.

    But that did not at first allow me to know who was uploading the file,
    and what to do with it.
    To know who was doing it, I thus added an HTTP authentication.
    But still, DAV doesn't care, and uploads all the files under the user
    Apache (Tomcat) runs under.

    So I added a couple of filters, one in front and one behind DAV. The
    front-end filter takes note of who this is (from the Apache
    authentication), and where the user thinks he is uploading the file to
    (from the URL), then changes the "PUT" URL sneakily (a la mod_rewrite),
    so that DAV now uploads the file in fact somewhere completely different,
    outside of the directories where the user thinks he is uploading.

    Then right after DAV, another filter picks up the uploaded file from the
    known place where DAV put it, and moves it to the real destination and
    with the correct ownership and permissions (which it gets from where the
    first filter saved them).

    It is a bit like another solution suggested earlier based on a separate
    daemon, only here everything happens in real-time.

    I am sure this could be done in Tomcat with a servlet filter around the
    DAV webapp.




    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Epicwinter at Feb 3, 2009 at 12:50 am

    Date: Tue, 3 Feb 2009 00:10:30 +0100
    From: aw@ice-sa.com
    To: users@tomcat.apache.org
    Subject: Re: running tomcat with root user.....umask in jsvc?

    epicwinter@hotmail.com wrote:
    [...]
    I'm not a great security specialist, but your setup looks indeed safe
    enough, if the users are chrooted to their home directories.
    I can't imagine how they could break out and access things they shouldn't.

    Just one more question : how do you arrange to know who is uploading a
    file, and thus where to put it ?
    Well each customer gets assigned it's own jailed user. The uploading facility is completely underneath a swing gui so all the customer knows is that the upload button works. When the customer logs in to their swing client they load some settings requested from the server, one of these settings happens to be their sftp login for the server and the other is the upload directory. So the server holds all this info in config files and the ysers don't even ever know what their login is.


    As a footnote : having a basic problem similar to yours (under Apache,
    not Tomcat), I ended up with a solution like this, implemented with
    Apache and mod_perl, but which should be also transposable to Tomcat
    with servlet filters and such :

    To allow users to upload their files, I implemented the standard DAV
    module in Apache (which also exists in Tomcat). This way, they can do
    drag-and-drop directly from within their Windows Explorer, to one
    directory structure on the server. And, I did not have to re-invent the
    wheel for uploading files.

    But that did not at first allow me to know who was uploading the file,
    and what to do with it.
    To know who was doing it, I thus added an HTTP authentication.
    But still, DAV doesn't care, and uploads all the files under the user
    Apache (Tomcat) runs under.

    So I added a couple of filters, one in front and one behind DAV. The
    front-end filter takes note of who this is (from the Apache
    authentication), and where the user thinks he is uploading the file to
    (from the URL), then changes the "PUT" URL sneakily (a la mod_rewrite),
    so that DAV now uploads the file in fact somewhere completely different,
    outside of the directories where the user thinks he is uploading.

    Then right after DAV, another filter picks up the uploaded file from the
    known place where DAV put it, and moves it to the real destination and
    with the correct ownership and permissions (which it gets from where the
    first filter saved them).

    It is a bit like another solution suggested earlier based on a separate
    daemon, only here everything happens in real-time.

    I am sure this could be done in Tomcat with a servlet filter around the
    DAV webapp.
    I haven't done much with those filters, but i like the idea of using the filters for something like this, it is nice that it is at least somewhat external to core code.


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    _________________________________________________________________
    Windows Live™ Hotmail®:…more than just e-mail.
    http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_explore_012009
  • Rusty Wright at Feb 3, 2009 at 4:03 am
    If you have control of the mode of the directory where the files are placed you may find the sticky bit helpful for propagating stuff down the treee:

    http://www.dartmouth.edu/~rc/help/faq/permissions.html


    epicwinter@hotmail.com wrote:
    Date: Mon, 2 Feb 2009 22:00:24 +0100
    From: aw@ice-sa.com
    To: users@tomcat.apache.org
    Subject: Re: running tomcat with root user.....umask in jsvc?

    epicwinter@hotmail.com wrote:
    That is a possible solution. There is a fairly heavy amount of files uploaded from many different users so it would mean a lot of configuration and a lot of maintenance to that config as i add new users. So I am trying to avoid the operating system chmod commands in my code.
    I don't really like that either, and it does break if you ever (yuk)
    would decide to run your code on some other platform.
    If i add umask 002 in my ./etc/init.d/tomcat start up script it seems to fix the problem but i think this is setting that umask for more than just tomcat so i am not sure how safe that is.
    As far as I can tell, it would only change the umask for the current
    process (the shell executing your startup script) and all its offsprings
    (jsvc, tomcat). But it will do it for *everything* that these processes
    do (such as creating temporary files, logfiles, etc..). That may indeed
    not be very secure. For instance, one thing which Tomcat to my knowledge
    does (if you have not disabled it) is to rewrite the "conf/users.xml"
    file each time it starts up (or stops ?). That particular file is not
    essential, and maybe Tomcat does not do that anymore in recent versions,
    but there might be other such things lurking around unexpectedly.
    That was my concern, I think it is a very mild security concern but still an issue nonetheless. Since the tomcat user doesn't have shell access or root access I can't see it being a big issue, it would be nice if you could set the umask for just the class loader or running java process.
    I'm still a bit curious about how you did organise the upload
    directories and their rights and groups etc.. finally, because you want
    this one Tomcat user to be able to write into upload directories owned
    originally by other users, right ? Or at least, you want these other
    users afterward to have access to these files somehow.
    So you must have established some common group or groups between the
    Tomcat user, and these other users, right ?
    I am just wondering if by doing this, you have not "weakened" the
    general protection of all that stuff.
    You got it. Here is how i have it set up let me know what you think:
    I created a shared group :
    groupadd sharedgroup
    Then i changed it so all my users were members of this group:
    usermod -g sharedgroup tomcat
    usermod -g sharedgroup jaileduser1

    usermod -g sharedgroup jaileduser2 ...etc

    Then I found some settings in the jailkit ( http://olivier.sessink.nl/jailkit/ ) that allow for the jailed users to have group read/write permissions:
    in /etc/jailkist/jk_chrootsh.ini
    relax_home_group=1
    relax_home_group_permissions=1
    relax_home_other_permissions=1

    Then in the jail jk_lsh.ini i set up the umask for the shared group:

    [group sharedgroup]
    paths= /usr/bin, /usr/lib/
    executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
    umask= 002

    Finally I added the umask 002 line to my tomcat startup script

    The external jailed users only have sftp access and aren't able to move outside their home directories. Since the jailed user shares a group with tomcat they can all incestially read and write files to these home directories and since the umask is set the permissions are retained as new directories are created and so forth.

    What do you think?
    I had a quite similar case to resolve not so long ago (with Apache, not
    Tomcat), and only ended up with ACLs after being forced to use them,
    because no other solution would really provide the security I wanted.
    Yeah the ACLs look very effective but like yourself i am trying to avoid extra complications
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    _________________________________________________________________
    Windows Live™ Hotmail®…more than just e-mail.
    http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Feb 5, 2009 at 10:28 pm
    André,

    I know I'm a bit late, but...

    André Warnier wrote:
    André Warnier wrote:
    epicwinter@hotmail.com wrote:
    You are correct, I found a setting that relaxes the group access
    permissions on the jailkit. Now I just have one more problem. When
    tomcat creates files in these user directories I need the permissions
    to be set appropriately. What is the best way to set the umask value
    when running tomcat using jsvc?
    Replying to myself : upon further reflection, I am not even sure that
    Java would have a method to do this, since it is supposed to be
    platform-independent, and setting filesystem permissions and group
    ownership is rather on the platform-dependent side.
    Correct: Java does not provide any permissions-adjusting behavior except
    things like "read-only" through the java.io.File class.

    On the other hand, the umask of the JVM process should be whatever the
    umask was for the shell that started it. So, if the umask is 022, you
    should get files that are readable by anyone. Is that not what you are
    experiencing, epicwinter?

    - -chris

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions