On 19.01.2011 20:00, Mark Thomas wrote:
On 19/01/2011 18:53, Ian Darwin wrote:
On 01/19/11 13:47, Mark Thomas wrote:
On 19/01/2011 18:45, bugzi...@apache.org wrote:
https://issues.apache.org/bugzilla/show_bug.cgi?id=22405
--- Comment #5 from Mark Thomas<ma...@apache.org> 2011-01-19 13:45:40 EST ---
Created an attachment (id=26519)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26519)
Proposed patch for Tomcat 7
This patch adds a new listener that checks the user Tomcat is running as and
the umask being used.
I didn't apply this directly as it stops Tomcat from starting (not on
Windows) as root or if the umask is not at least as restrictive as 0007.
WDYT?
I'd like that to be a warning, not a fatal error.
It is a fine line. Some things are sufficiently dangerous that the user
should have to actively choose to do them. Running as root is probably
one of them but then again jsvc is designed to run as root to use
privileged ports. Maybe there is a way to tell the difference such as
move the check until the point where jsvc would have changed to a lower
privileged user.
Not tested with Java 6, but at least for Java 5 user.name still seems to
return the real uid, not the effective one. So I expect under jsvc you
will still get root as the result.
See:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4290712
But it should be verified using jsvc. Not sure whether my simple
perl+Java bsed test is valid.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
