[Mifos-issues] [JIRA Studio] Resolved: (MIFOSADMIN-81) improve cloud server security by using a .deb packaged version of Tomcat

Fri, 28 Jan 2011 13:54:33 -0800 

     [ 
http://mifosforge.jira.com/browse/MIFOSADMIN-81?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ryan Whitney resolved MIFOSADMIN-81.
------------------------------------

    Resolution: Invalid

New cloud imaging uses off the shelf tomcat

> improve cloud server security by using a .deb packaged version of Tomcat
> ------------------------------------------------------------------------
>
>                 Key: MIFOSADMIN-81
>                 URL: http://mifosforge.jira.com/browse/MIFOSADMIN-81
>             Project: mifos administration
>          Issue Type: Improvement
>            Reporter: Adam Monsen
>            Assignee: Mifos Admin Queue
>
> We're using 6.0.26 for our cloud customers. 6.0.28 fixes [a couple of 
> security bugs|http://tomcat.apache.org/security-6.html], but one of them 
> doesn't affect us since we always run behind Apache (CVE-2010-2227) and the 
> other is "Low" priority.
> I think we'd be in a better position to security-wise if we modified our 
> cloud servers to use a .deb package version of Tomcat.
> Note that a [policy file like the 
> following|http://ubuntuforums.org/showthread.php?t=1196956] is required for 
> Mifos to work with Ubuntu's Tomcat:
> {code:title=/var/lib/tomcat6/conf/policy.d/05mifos.policy}
> grant {
>     permission java.io.FilePermission "/var/lib/tomcat6/webapps/mifos/-", 
> "read,write,delete";
>     permission java.security.AllPermission "/var/lib/tomcat6/webapps/mifos/-";
> };
> {code}
> Fewer permissions would be better, but this should be enough to get Mifos 
> running with whatever Tomcat ships with Ubuntu. If Tomcat ships with an old 
> version, we can just build a new .deb from a more recent Tomcat.
> Note that apparmor might also need to be adjusted if Tomcat uses that (just 
> watch /var/log/messages for "audit").

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues

Reply via email to