Re: Allowing dir listing of root (/) dir of the machine
On 25/08/2020 09:19, Mark Thomas wrote: > On 24/08/2020 15:41, Aryeh Friedman wrote: > > > >> Tried and it gives me /usr/local/apache-tomcat-9.0/webapps as the effective >> dir. This is *NOT* what I meant by the root dir I meant the one that is >> the highest point in the file system hierarchy (i.e. the one you get when >> at a shell prompt when you type "cd /") [this is for a Unix machine of >> course since Windows has no concept of such a directory/folder] > > Sorry, got my roots mixed up. > > > > gives me an empty directory listing as well - and it isn't a file > permissions issue. > > I need to do some debugging to figure out what is going on... Edge case bug in path validation. Will be fixed in the next round of releases (expected early next month). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Allowing dir listing of root (/) dir of the machine
Am 24.08.20 um 16:41 schrieb Aryeh Friedman: > On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas wrote: > >> On 23/08/2020 22:05, Aryeh Friedman wrote: >>> In order to allow my developers to quickly access any temporarily >> produced >>> html files created/stored outside of webapps (such as those created by >> the >>> jacoco test coverage tool) I want to allow read only access to the root >>> directory of the development server (firewalled and all access outside of >>> the LAN is disabled) via tomcat. I can get it to do any directory >>> *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir >> listing >>> (which is obviously wrong): >>> >>> In config/web.xml: >>> >>> default >>> >>> >> org.apache.catalina.servlets.DefaultServlet >>> >>> debug >>> 0 >>> >>> >>> listings >>> true >>> >>> 1 >>> >> That should be sufficient to enable directory listings for all web >> applications. >> >>> In server.xml (this works): >>> >> unpackWARs="true" autoDeploy="true"> >>> >>> >>> >>> >>> >>> >> directory="logs" >>>prefix="localhost_access_log" suffix=".txt" >>>pattern="%h %l %u %t %r %s %b" /> >>> >>> >> I'd do this with a ROOT.xml file in >> $CATALINA_BASE/conf/Catalina/localhost but the above should work. >> >>> But this does not work: >>> >> The docBase is not correct (it should be "") but Tomcat probably will >> let you get away with that. >> >> > Tried and it gives me /usr/local/apache-tomcat-9.0/webapps as the effective > dir. This is *NOT* what I meant by the root dir I meant the one that is > the highest point in the file system hierarchy (i.e. the one you get when > at a shell prompt when you type "cd /") [this is for a Unix machine of > course since Windows has no concept of such a directory/folder] It seems, that Tomcat will do a bit of cleanup on the paths you specify in docBase. If I read it correctly, ContextConfig#fixDocBase will convert the base you give to a canonical representation and remove the leading slash. Therefore, if you specify docBase="/" (to indicate the mount point "/" aka root of the filesystem), Tomcat will change it to "", which then (and this is guessing) could lead to a state, Tomcat doesn't know where to find any files. I believe, there is no easy (safe/sane) way to get Tomcat (that is the DefaultServlet) serve the OS-root as you want to have it. There are probably other things you can do, to achieve your goals. Use a real filemanager app inside of Tomcat, or use another lightweight http server (if you really want to use http for this). Python3 has a built-in module http.server, which could be used to do this with a one-liner in shell. But, as others already said: Be careful! Felix > > >> I tested this locally and it works as expected. >> >> Maybe a file permissions issue? >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Allowing dir listing of root (/) dir of the machine
On 24/08/2020 15:41, Aryeh Friedman wrote: > Tried and it gives me /usr/local/apache-tomcat-9.0/webapps as the effective > dir. This is *NOT* what I meant by the root dir I meant the one that is > the highest point in the file system hierarchy (i.e. the one you get when > at a shell prompt when you type "cd /") [this is for a Unix machine of > course since Windows has no concept of such a directory/folder] Sorry, got my roots mixed up. gives me an empty directory listing as well - and it isn't a file permissions issue. I need to do some debugging to figure out what is going on... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Allowing dir listing of root (/) dir of the machine
On Mon, Aug 24, 2020 at 12:34 PM Olaf Kock wrote: > > On 24.08.20 16:41, Aryeh Friedman wrote: > > On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas wrote: > > > >> On 23/08/2020 22:05, Aryeh Friedman wrote: > >>> In order to allow my developers to quickly access any temporarily > >> produced > >>> html files created/stored outside of webapps (such as those created by > >> the > >>> jacoco test coverage tool) I want to allow read only access to the root > >>> directory of the development server (firewalled and all access outside > of > >>> the LAN is disabled) via tomcat. I can get it to do any directory > >>> *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir > >> listing > >> > [snip] > >> I'd do this with a ROOT.xml file in > >> $CATALINA_BASE/conf/Catalina/localhost but the above should work. > [snip] > > > I'd recommend to *not* go this route. Rather google for "java web file > manager" or variations thereof: You'll find several open source projects > that implement a file browser in a deployable web application. You can > apply password protection to it, update/deploy/configure the application > (e.g. to prevent /etc/passwd to be read) and so on. > 1. The LAN is completely firewalled and NAT'ed off (there is no easy way for an outsider to get to it and if they did find a way we would have bigger problems then someone who got to see the contents of some VM that has nothing but source code and the compiled results there of in it) 2. There are two users: me and my co-developer/business partner/spouse so I have 100% trust in them > > I'm explicitly not linking any of those applications here, as I can't > recommend any from my own experience. I remember to have worked with one > ages ago that was implemented in a single JSP (great to plant a > debugging backdoor on production servers. But /cough/ who would ever do > that?) > My co-developer does not use Java, not have a JRE installed (nor do they want one installed due the security issues of desktop java apps), to do their editing they write their java code in notepad and upload it to the development server (this is specifically meant so the can easily look at the *RENDERED* html output of jacoco's coverage report, jacoco does not output anything but raw html files in the current working dir). Since our version control software, aegis, uses discrete change sets with development dir is always in the users home dir and jacoco produces its results relative to the dir it was called in (the dev dir) it is not easy make this a web app (even with symlinks some scripting would be needed and it would need to be on the smart end besides starting and stopping tomcat takes about 20 seconds (even if scripted) and thus would really put a kink in the write some code->compile->test->check coverage->write some more code->... cycle which usually is a few mins at tops) Tl; DR -- We are well aware of the risks in *GENERAL* this just don't apply in our case though -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Re: Allowing dir listing of root (/) dir of the machine
On Mon, Aug 24, 2020 at 1:03 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Aryeh, > > On 8/24/20 10:41, Aryeh Friedman wrote: > > On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas > > wrote: > > > >> On 23/08/2020 22:05, Aryeh Friedman wrote: > >>> In order to allow my developers to quickly access any > >>> temporarily > >> produced > >>> html files created/stored outside of webapps (such as those > >>> created by > >> the > >>> jacoco test coverage tool) I want to allow read only access to > >>> the root directory of the development server (firewalled and > >>> all access outside of the LAN is disabled) via tomcat. I can > >>> get it to do any directory *EXCEPT* / as the docBase but a > >>> docBase of "/" returns an empty dir > >> listing > >>> (which is obviously wrong): > >>> > >>> In config/web.xml: > >>> default > >>> > >>> > >> org.apache.catalina.servlets.DefaultServlet lass> > >>> > >> > > >>> debug 0 > >>> listings > >>> true > >>> 1 > >> > >> That should be sufficient to enable directory listings for all > >> web applications. > >> > >>> In server.xml (this works): >>> appBase="webapps" unpackWARs="true" autoDeploy="true"> > >>> > >>> > >>> > >>> > >>> >>> className="org.apache.catalina.valves.AccessLogValve" > >>> directory="logs" prefix="localhost_access_log" suffix=".txt" > >>> pattern="%h %l %u %t %r %s %b" /> >>> docBase="/fakeRoot" path="/files"> > >> > >> I'd do this with a ROOT.xml file in > >> $CATALINA_BASE/conf/Catalina/localhost but the above should > >> work. > >> > >>> But this does not work: > >> > >> The docBase is not correct (it should be "") but Tomcat probably > >> will let you get away with that. > >> > >> > > Tried and it gives me /usr/local/apache-tomcat-9.0/webapps as the > > effective dir. This is *NOT* what I meant by the root dir I meant > > the one that is the highest point in the file system hierarchy > > (i.e. the one you get when at a shell prompt when you type "cd /") > > [this is for a Unix machine of course since Windows has no concept > > of such a directory/folder] > > How are you running Tomcat? If you are using something other than > catalina.sh to launch Tomcat, is it possible you are being put into a > chroot jail? > Standard boot time start for FreeBSD (not jailed) > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D8sMACgkQHPApP6U8 > pFhurw/9H/e16E2SHzSB9qavgKZvscT5tMLOvvsKR8bvobxOTRjttfnpygEXk26q > sH23n6MD4/bKDUUQv6oJoqU07Fij3GL3yX7SXvriD0Dbc5bOtS/Af2N4CcLziOy1 > aqF4lddH2tAvEdJ6xBZJwZBKSQcsu0Y/Jdx/zri5ZoaVNB/vzbT6SHiFXxrckLBS > brlNT00KCAxefW7hzjXnylm+xCVQRSt6hGsh5LrjCRuRp/cVNCFYSr2lZykmj5/+ > DvyBhgxFp27zBrT41kNvQDXiw8omqMuml42n6FKY0vfsgcQJ9sxcir+LUYfwVbBo > pCY2MF3dOJdaXgoWncHqHeu8XZFspLOSPU8mI5/vfYCDLcI8ZiXh22c8MsH//R8x > /KhTWttmUlD1AWiFRizi3SbEGXPq3keJS+Wi4QKVpJldIPs9zN0OlBYVri7gRrQ+ > 0zFBsLmsREhrSqYyCwtSTLcAGNasmb8I3jBKblmI+1ItI04PP+8p69qzaA/FcHMl > WNtyobt1Y/yKShQuWggyIPHRdU+nHntFd7p2rzhnLwbj/B9P+K3KB35Lbbye01dD > ygYDXAf14/IgHjxz7g6i3IycuJMo+KQRdogQxt3d1qSSygjLy3Y18atLtwGrcfH9 > pv0itZB14d3f7HxBv/f5IdiXRhAFbPi64/0Pi0L8QaL6W1+Whho= > =uJ4Y > -END PGP SIGNATURE- > -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Re: Allowing dir listing of root (/) dir of the machine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Aryeh, On 8/24/20 10:41, Aryeh Friedman wrote: > On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas > wrote: > >> On 23/08/2020 22:05, Aryeh Friedman wrote: >>> In order to allow my developers to quickly access any >>> temporarily >> produced >>> html files created/stored outside of webapps (such as those >>> created by >> the >>> jacoco test coverage tool) I want to allow read only access to >>> the root directory of the development server (firewalled and >>> all access outside of the LAN is disabled) via tomcat. I can >>> get it to do any directory *EXCEPT* / as the docBase but a >>> docBase of "/" returns an empty dir >> listing >>> (which is obviously wrong): >>> >>> In config/web.xml: >>> default >>> >>> >> org.apache.catalina.servlets.DefaultServlet >>> >> >>> debug 0 >>> listings >>> true >>> 1 >> >> That should be sufficient to enable directory listings for all >> web applications. >> >>> In server.xml (this works): >> appBase="webapps" unpackWARs="true" autoDeploy="true"> >>> >>> >>> >>> >>> >> className="org.apache.catalina.valves.AccessLogValve" >>> directory="logs" prefix="localhost_access_log" suffix=".txt" >>> pattern="%h %l %u %t %r %s %b" /> >> docBase="/fakeRoot" path="/files"> >> >> I'd do this with a ROOT.xml file in >> $CATALINA_BASE/conf/Catalina/localhost but the above should >> work. >> >>> But this does not work: >> >> The docBase is not correct (it should be "") but Tomcat probably >> will let you get away with that. >> >> > Tried and it gives me /usr/local/apache-tomcat-9.0/webapps as the > effective dir. This is *NOT* what I meant by the root dir I meant > the one that is the highest point in the file system hierarchy > (i.e. the one you get when at a shell prompt when you type "cd /") > [this is for a Unix machine of course since Windows has no concept > of such a directory/folder] How are you running Tomcat? If you are using something other than catalina.sh to launch Tomcat, is it possible you are being put into a chroot jail? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D8sMACgkQHPApP6U8 pFhurw/9H/e16E2SHzSB9qavgKZvscT5tMLOvvsKR8bvobxOTRjttfnpygEXk26q sH23n6MD4/bKDUUQv6oJoqU07Fij3GL3yX7SXvriD0Dbc5bOtS/Af2N4CcLziOy1 aqF4lddH2tAvEdJ6xBZJwZBKSQcsu0Y/Jdx/zri5ZoaVNB/vzbT6SHiFXxrckLBS brlNT00KCAxefW7hzjXnylm+xCVQRSt6hGsh5LrjCRuRp/cVNCFYSr2lZykmj5/+ DvyBhgxFp27zBrT41kNvQDXiw8omqMuml42n6FKY0vfsgcQJ9sxcir+LUYfwVbBo pCY2MF3dOJdaXgoWncHqHeu8XZFspLOSPU8mI5/vfYCDLcI8ZiXh22c8MsH//R8x /KhTWttmUlD1AWiFRizi3SbEGXPq3keJS+Wi4QKVpJldIPs9zN0OlBYVri7gRrQ+ 0zFBsLmsREhrSqYyCwtSTLcAGNasmb8I3jBKblmI+1ItI04PP+8p69qzaA/FcHMl WNtyobt1Y/yKShQuWggyIPHRdU+nHntFd7p2rzhnLwbj/B9P+K3KB35Lbbye01dD ygYDXAf14/IgHjxz7g6i3IycuJMo+KQRdogQxt3d1qSSygjLy3Y18atLtwGrcfH9 pv0itZB14d3f7HxBv/f5IdiXRhAFbPi64/0Pi0L8QaL6W1+Whho= =uJ4Y -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Allowing dir listing of root (/) dir of the machine
On 24.08.20 16:41, Aryeh Friedman wrote: > On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas wrote: > >> On 23/08/2020 22:05, Aryeh Friedman wrote: >>> In order to allow my developers to quickly access any temporarily >> produced >>> html files created/stored outside of webapps (such as those created by >> the >>> jacoco test coverage tool) I want to allow read only access to the root >>> directory of the development server (firewalled and all access outside of >>> the LAN is disabled) via tomcat. I can get it to do any directory >>> *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir >> listing >> [snip] >> I'd do this with a ROOT.xml file in >> $CATALINA_BASE/conf/Catalina/localhost but the above should work. [snip] I'd recommend to *not* go this route. Rather google for "java web file manager" or variations thereof: You'll find several open source projects that implement a file browser in a deployable web application. You can apply password protection to it, update/deploy/configure the application (e.g. to prevent /etc/passwd to be read) and so on. I'm explicitly not linking any of those applications here, as I can't recommend any from my own experience. I remember to have worked with one ages ago that was implemented in a single JSP (great to plant a debugging backdoor on production servers. But /cough/ who would ever do that?) Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Allowing dir listing of root (/) dir of the machine
On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas wrote: > On 23/08/2020 22:05, Aryeh Friedman wrote: > > In order to allow my developers to quickly access any temporarily > produced > > html files created/stored outside of webapps (such as those created by > the > > jacoco test coverage tool) I want to allow read only access to the root > > directory of the development server (firewalled and all access outside of > > the LAN is disabled) via tomcat. I can get it to do any directory > > *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir > listing > > (which is obviously wrong): > > > > In config/web.xml: > > > > default > > > > > org.apache.catalina.servlets.DefaultServlet > > > > debug > > 0 > > > > > > listings > > true > > > > 1 > > > > That should be sufficient to enable directory listings for all web > applications. > > > In server.xml (this works): > > > unpackWARs="true" autoDeploy="true"> > > > > > > > > > > > > > directory="logs" > >prefix="localhost_access_log" suffix=".txt" > >pattern="%h %l %u %t %r %s %b" /> > > > > > > I'd do this with a ROOT.xml file in > $CATALINA_BASE/conf/Catalina/localhost but the above should work. > > > But this does not work: > > > > The docBase is not correct (it should be "") but Tomcat probably will > let you get away with that. > > Tried and it gives me /usr/local/apache-tomcat-9.0/webapps as the effective dir. This is *NOT* what I meant by the root dir I meant the one that is the highest point in the file system hierarchy (i.e. the one you get when at a shell prompt when you type "cd /") [this is for a Unix machine of course since Windows has no concept of such a directory/folder] > I tested this locally and it works as expected. > > Maybe a file permissions issue? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Re: Allowing dir listing of root (/) dir of the machine
On 23/08/2020 22:05, Aryeh Friedman wrote: > In order to allow my developers to quickly access any temporarily produced > html files created/stored outside of webapps (such as those created by the > jacoco test coverage tool) I want to allow read only access to the root > directory of the development server (firewalled and all access outside of > the LAN is disabled) via tomcat. I can get it to do any directory > *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir listing > (which is obviously wrong): > > In config/web.xml: > > default > > org.apache.catalina.servlets.DefaultServlet > > debug > 0 > > > listings > true > > 1 > That should be sufficient to enable directory listings for all web applications. > In server.xml (this works): > unpackWARs="true" autoDeploy="true"> > > > > > > directory="logs" >prefix="localhost_access_log" suffix=".txt" >pattern="%h %l %u %t %r %s %b" /> > > I'd do this with a ROOT.xml file in $CATALINA_BASE/conf/Catalina/localhost but the above should work. > But this does not work: > The docBase is not correct (it should be "") but Tomcat probably will let you get away with that. I tested this locally and it works as expected. Maybe a file permissions issue? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Allowing dir listing of root (/) dir of the machine
In order to allow my developers to quickly access any temporarily produced html files created/stored outside of webapps (such as those created by the jacoco test coverage tool) I want to allow read only access to the root directory of the development server (firewalled and all access outside of the LAN is disabled) via tomcat. I can get it to do any directory *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir listing (which is obviously wrong): In config/web.xml: default org.apache.catalina.servlets.DefaultServlet debug 0 listings true 1 In server.xml (this works): But this does not work: -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org