[Mifos-issues] [JIRA Studio] Commented: (MIFOSADMIN-81) improve cloud server security by using a .deb packaged version of Tomcat

Wed, 17 Nov 2010 11:16:34 -0800 

    [ 
http://mifosforge.jira.com/browse/MIFOSADMIN-81?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=62013#action_62013
 ] 

Adam Monsen commented on MIFOSADMIN-81:
---------------------------------------

Sumit notes the vulnerabilities mentioned above may not affect us since we put 
Apache in front of Tomcat and we don't use basic or digest auth.

> improve cloud server security by using a .deb packaged version of Tomcat
> ------------------------------------------------------------------------
>
>                 Key: MIFOSADMIN-81
>                 URL: http://mifosforge.jira.com/browse/MIFOSADMIN-81
>             Project: mifos administration
>          Issue Type: Improvement
>            Reporter: Adam Monsen
>            Assignee: Mifos Admin Queue
>
> We're using 6.0.26 for our cloud customers. 6.0.28 fixes [a couple of 
> security bugs|http://tomcat.apache.org/security-6.html], but one of them 
> doesn't affect us since we always run behind Apache (CVE-2010-2227) and the 
> other is "Low" priority.
> I think we'd be in a better position to security-wise if we modified our 
> cloud servers to use a .deb package version of Tomcat.
> Note that a [policy file like the 
> following|http://ubuntuforums.org/showthread.php?t=1196956] is required for 
> Mifos to work with Ubuntu's Tomcat:
> {code:title=/var/lib/tomcat6/conf/policy.d/05mifos.policy}
> grant {
>     permission java.io.FilePermission "/var/lib/tomcat6/webapps/mifos/-", 
> "read,write,delete";
>     permission java.security.AllPermission "/var/lib/tomcat6/webapps/mifos/-";
> };
> {code}
> Fewer permissions would be better, but this should be enough to get Mifos 
> running with whatever Tomcat ships with Ubuntu. If Tomcat ships with an old 
> version, we can just build a new .deb from a more recent Tomcat.
> Note that apparmor might also need to be adjusted if Tomcat uses that (just 
> watch /var/log/messages for "audit").

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues

Reply via email to