Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Chris, > Am 13.05.2020 um 16:42 schrieb Christopher Schultz > : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Peter, > > On 5/13/20 02:48, logo wrote: >> Hi calder, >> >> >>> Am 13.05.2020 um 04:59 schrieb calder : >>> >>> On Tue, May 12, 2020, 21:48 kohmoto >>> wrote: >>> Hi, Calder, Thank you for your prompt reply. I think Tomcat binary files all have root priviledges. Should these priviledges should be changed to user priviledges? >>> >>> >>> Yes. >> >> I would suggest to leave the binaries and maybe even config files >> to root or any other admin. So a hacked tomcat process under tomcat >> user will not be able to exchange config or even binaries. > Yes! There really is no need for Tomcat to modify its own config files > or binaries. > >> That will only work if the config will not be changed via >> host-manager or programmatically. > > This shouldn't be too much of a problem. Not many people use the > host-manager. > >> In the past we even held the installed webapps under a different >> user. but that maybe difficult in automated deployments. > > This is less important IMO. The owner of the files can be anybody... > just not the Tomcat user. > > And, before anybody says "but.. but... Docker!" you should remember > that root in a Docker container often ends up having many more > privileges outside the container than you think it does/should. > Never ignore this! As simple as adding the following to your Dockerfile RUN set -x \ && groupadd tomcat \ && useradd -g tomcat -s /usr/bin/nologin -m -d /home/tomcat tomcat \ && chown -R tomcat:tomcat $CATALINA_HOME/logs $CATALINA_HOME/work $CATALINA_HOME/temp # add $CATALINA_HOME/webapps if you use the manager-app USER tomcat before running the ENTRYPOINT or CMD. BTW: that is something that is really missing in the „Official“ Tomcat Docker images. (I know they are not maintained by ASF) Peter > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8 > pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar > EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4 > LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps > C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG > k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch > ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r > cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO > DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj > PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa > 5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG > q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc= > =V1n4 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter, On 5/13/20 02:48, logo wrote: > Hi calder, > > >> Am 13.05.2020 um 04:59 schrieb calder : >> >> On Tue, May 12, 2020, 21:48 kohmoto >> wrote: >> >>> Hi, Calder, >>> >>> Thank you for your prompt reply. I think Tomcat binary files >>> all have root priviledges. Should these priviledges should be >>> changed to user priviledges? >>> >> >> >> Yes. > > I would suggest to leave the binaries and maybe even config files > to root or any other admin. So a hacked tomcat process under tomcat > user will not be able to exchange config or even binaries. Yes! There really is no need for Tomcat to modify its own config files or binaries. > That will only work if the config will not be changed via > host-manager or programmatically. This shouldn't be too much of a problem. Not many people use the host-manager. > In the past we even held the installed webapps under a different > user. but that maybe difficult in automated deployments. This is less important IMO. The owner of the files can be anybody... just not the Tomcat user. And, before anybody says "but.. but... Docker!" you should remember that root in a Docker container often ends up having many more privileges outside the container than you think it does/should. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8 pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4 LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa 5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc= =V1n4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Hi, Logo, My current practice is as you suggest. Thank you for your advice. Yours truly, Kazuhiko Kohmoto On 2020/05/13 15:48, logo wrote: Hi calder, Am 13.05.2020 um 04:59 schrieb calder : On Tue, May 12, 2020, 21:48 kohmoto wrote: Hi, Calder, Thank you for your prompt reply. I think Tomcat binary files all have root priviledges. Should these priviledges should be changed to user priviledges? Yes. I would suggest to leave the binaries and maybe even config files to root or any other admin. So a hacked tomcat process under tomcat user will not be able to exchange config or even binaries. That will only work if the config will not be changed via host-manager or programmatically. In the past we even held the installed webapps under a different user. but that maybe difficult in automated deployments. My 2cts. Peter There is a "Tomcat Security" guide at the Tomcat website. Also, Mulesoft has a good guide https://www.mulesoft.com/tcat/tomcat-security Your truly, Kazuhiko Kohmoto On 2020/05/13 11:17, calder wrote: If TC, running as root, is ever compromised, the compromising user (attacker) can gain access to the whole of the system. The attacker could execute any arbitrary command available on the system. They could remove files, or install malicious software. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Hi calder, > Am 13.05.2020 um 04:59 schrieb calder : > > On Tue, May 12, 2020, 21:48 kohmoto wrote: > >> Hi, Calder, >> >> Thank you for your prompt reply. >> I think Tomcat binary files all have root priviledges. >> Should these priviledges should be changed to user priviledges? >> > > > Yes. I would suggest to leave the binaries and maybe even config files to root or any other admin. So a hacked tomcat process under tomcat user will not be able to exchange config or even binaries. That will only work if the config will not be changed via host-manager or programmatically. In the past we even held the installed webapps under a different user. but that maybe difficult in automated deployments. My 2cts. Peter > > There is a "Tomcat Security" guide at the Tomcat website. Also, Mulesoft > has a good guide > https://www.mulesoft.com/tcat/tomcat-security > > > Your truly, >> Kazuhiko Kohmoto >> >> On 2020/05/13 11:17, calder wrote: >>> If TC, running as root, is ever compromised, the compromising user >>> (attacker) can gain access to the whole of the system. The attacker >> could >>> execute any arbitrary command available on the system. They could remove >>> files, or install malicious software. >> >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org