Re: [OT] Symantic has a first tomcat worm ;-)

Mon, 25 Nov 2013 03:44:02 -0800 

Mark,

On 25.11.2013 11:08, Mark Thomas wrote:

Unrelated to this issue, I have recently expanded the section of the
docs that covers securing the default applications. The updates will be
in the next release. Until then you can read it via the copy of the docs
built by the CI system:
http://ci.apache.org/projects/tomcat/tomcat8/docs/security-howto.html#Default_web_applications


On a related matter, if one configure file permissions as recommended here:


http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Non-Tomcat_settings


Manager application will be unusable for deployment by uploading .war 
files. Automatic war unpacking also won't work. What is the best 
practice for remote deployment of .war files in such environment?



I usually copy .war file to temporary dir on server using scp client. 
Then, using ssh client I extract the .war file, chown .war file and 
extracted folder, and mv .war file and extracted folder to webapps/. I 
then wait for auto deployer to pick them up. Is there a better 
alternative to that?




The one question this raises for me is should the Manager application be
limited to localhost be default? I'd be interested in the community's
views on that.



Yes. A lot of Tomcat instances I've seen run under user root. 
Unfortunately, a lot of users needs Tomcat running on port 80, and they 
don't have time or knowledge to configure jsvc or httpd. They 
unfortunately resort to running tomcat as root, forgetting that manager 
application (and all other deployed webapps) will also have root 
privileges. So, adding one more level of security by enabling 
RemoteAddrValve will help security ignorant users, and will take only 
little additional effort for admins.



I also think it would be very usefull if 401 error page for manager 
application does not example password "s3cret", but randomly generated 
long password unique for every request. I guess there is a number of 
Tomcat instances out there with username "tomcat" and passoword 
"s3cret", and that needs to be prevented.


-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to