RE: tomcat/unix security manager questions

2002-08-19 Thread Tom Parker 

On Tue, 2002-08-20 at 03:13, Rossen Raykov wrote:

> Unix permissions do take precedence over java security policy.

With a logical AND. If unix permissions say you do have write access,
but the java security policy says you do not, then you do not have write
access, and vice versa. This, of course, assumes that there are no bugs
in the unix or java security policy implementations.


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: tomcat/unix security manager questions

2002-08-19 Thread Rossen Raykov 

Unix permissions do take precedence over java security policy.

Regards,
Rossen

> -Original Message-
> From: Richard Smith [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, August 18, 2002 11:12 PM
> To: [EMAIL PROTECTED]
> Subject: tomcat/unix security manager questions
> 
> 
> 
> Hi All,
> 
> Just wondering if you could help me clarify a few questions I 
> have about 
> tomcat
> and catalina.policy. Im running tomcat 4.0.4 (w/ security 
> manager) with 
> mod_jk
> on solaris with about 300+ users, all of whom can deploy 
> jsp/servlets from 
> their public_html directory.
> 
> A user requirement is that they must is to be able to 
> read/write files in 
> their
> home directory. This is what im a little confused about. I 
> understand I can 
> put
> an entry like:
> 
> permission java.io.FilePermission "/home/-", 
> "read,write,delete,execute";"
> 
> in catalina.policy, but how does this enable tomcat to write 
> to other user's
> home directories (when tomcat is running as a user with 
> minimal privledges)? 
> Or
> must I change permissions on the file to allow the user that 
> is running 
> tomcat
> to write to it (is this the normal practice?).
> 
> Also, this is probably more a java question, but do standard unix 
> permissions
> always take precedence over what is set in catalina.policy? (In my 
> understanding
> the unix permissions take precedence, but I just wanted to 
> make sure(please
> excuse my java ignorance))
> 
> Any help appreciated,
> 
> Cheers,
> 
> 
> _
> Join the world's largest e-mail service with MSN Hotmail. 
> http://www.hotmail.com
> 
> 
> --
> To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: tomcat/unix security manager questions

2002-08-19 Thread Glenn Nielsen 

Richard Smith wrote:
> 
> Hi All,
> 
> Just wondering if you could help me clarify a few questions I have about 
> tomcat
> and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with 
> mod_jk
> on solaris with about 300+ users, all of whom can deploy jsp/servlets 
> from their public_html directory.
> 

I have never setup Tomcat to do this, but from reading the docs it looks
like Tomcat instantiates a separate web application context for each user.

> A user requirement is that they must is to be able to read/write files 
> in their
> home directory. This is what im a little confused about. I understand I 
> can put
> an entry like:
> 
> permission java.io.FilePermission "/home/-", "read,write,delete,execute";"
> 

I would never grant the "execute" permission, this allows Tomcat to use
Runtime.exec() to execute shell scripts, etc.!

The above permission w/o execute should be fine.

> in catalina.policy, but how does this enable tomcat to write to other 
> user's
> home directories (when tomcat is running as a user with minimal 
> privledges)? Or
> must I change permissions on the file to allow the user that is running 
> tomcat
> to write to it (is this the normal practice?).
> 

Yes, if you want to allow the user web applications to write and delete
files in their own home directory Tomcat would need r/w file permissions.

This can be done by adding the tomcat user "tomcat" to the group(s) which
your users are members of.  Then setup permissions on the public_html
directory of mode 2775.

> Also, this is probably more a java question, but do standard unix 
> permissions
> always take precedence over what is set in catalina.policy? (In my 
> understanding
> the unix permissions take precedence, but I just wanted to make sure(please
> excuse my java ignorance))
> 

Yes, unix file/dir ownership and permissions take precedence.

> Any help appreciated,
> 
> Cheers,
> 


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

tomcat/unix security manager questions

2002-08-18 Thread Richard Smith 


Hi All,

Just wondering if you could help me clarify a few questions I have about 
tomcat
and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with 
mod_jk
on solaris with about 300+ users, all of whom can deploy jsp/servlets from 
their public_html directory.

A user requirement is that they must is to be able to read/write files in 
their
home directory. This is what im a little confused about. I understand I can 
put
an entry like:

permission java.io.FilePermission "/home/-", "read,write,delete,execute";"

in catalina.policy, but how does this enable tomcat to write to other user's
home directories (when tomcat is running as a user with minimal privledges)? 
Or
must I change permissions on the file to allow the user that is running 
tomcat
to write to it (is this the normal practice?).

Also, this is probably more a java question, but do standard unix 
permissions
always take precedence over what is set in catalina.policy? (In my 
understanding
the unix permissions take precedence, but I just wanted to make sure(please
excuse my java ignorance))

Any help appreciated,

Cheers,


_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


--
To unsubscribe, e-mail:   
For additional commands, e-mail: