Re: Tomcat SecurityListener

2020-10-14 Thread Christopher Schultz 
Shawn,

On 10/12/20 15:59, Beard, Shawn wrote:
> Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by
> default in the catalina.sh file.

This comes from server.xml, and it's not "on" by default.

> This SecurityListener also sets the UMASK of files to 0027. This has the
> effect of any file tomcat creates or the app running in tomcat creates
> with permissions or -rw-r-

This is untrue: SecurityListener does not set any umask (nor can it). It
simply checks the effective umask (as passed into the JVM as a system
property) against a configured minimum.

> This is causing a problem for us as it prevents certain people from
> being able to read log files or read any file the application might
> create. Putting these users in the group of the user that tomcat runs as
> is not an option.

:(

> I’ve tried changing the catalina.sh to set the UMASK to something like
> 0022 but that prevents tomcat from starting with an error that it has to
> me at least as restrictive as 0027.

Do not change catalina.sh. Instead, use $CATALINA_BASE/setenv.sh to set
the UMASK environment variable (which should work).

> I’ve also tried setting the UMASK to 0022 in the setenv.sh with same
> results.

Good. Well, not good. But I mean, good that you are using setenv.sh.

> I’m hesitant to comment out the loading of the security listener in
> catalina.sh as I don’t want to disable anything else important that it
> may be doing from a security standpoint.

It's verifying the minimum umask and that you aren't running as any of
the configured OS usernames (default: "root").

I suspect if you disable the SecurityListener you will find that nothing
changesL: your umask will still be ignored for some reason.

> Does anyone have any ideas as to a workaround?

How are you launching Tomcat?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SecurityListener [EXTERNAL]

2020-10-13 Thread Beard, Shawn 
No they are not user provided files. There is an application running in tomcat 
that does some batch processing and it generates files to be published to other 
systems. However we are migrating from WebSphere to Tomcat and they need to see 
the files for now to make sure the content of the file is correct.



Shawn​  Beard

Sr. Systems Engineer |
BTS

Middleware Engineering   |  +1-515-564-2528 |  
sbe...@wrberkley.com<mailto:sbe...@wrberkley.com>









-Original Message-
From: Mark Eggers 
Sent: Monday, October 12, 2020 3:35 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat SecurityListener [EXTERNAL]

Shawn,

On 10/12/2020 12:59 PM, Beard, Shawn wrote:
> Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by 
> default in the catalina.sh file.
>
> This SecurityListener also sets the UMASK of files to 0027. This has
> the effect of any file tomcat creates or the app running in tomcat
> creates with permissions or -rw-r-
>
> This is causing a problem for us as it prevents certain people from being 
> able to read log files or read any file the application might create. Putting 
> these users in the group of the user that tomcat runs as is not an option.
>
> I’ve tried changing the catalina.sh to set the UMASK to something like 0022 
> but that prevents tomcat from starting with an error that it has to me at 
> least as restrictive as 0027.
>
> I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.
>
> I’m hesitant to comment out the loading of the security listener in 
> catalina.sh as I don’t want to disable anything else important that it may be 
> doing from a security standpoint.
>
> Does anyone have any ideas as to a workaround?
> ​
>
> Shawn Beard ‑ Sr. Systems Engineer
>
> Middleware Engineering
>
> [cid:image624238.png@1BC27BA2.B6427C15]
> 3840 109th Street , Urbandale , IA 50322
>
> Phone: +1-515-564-2528
> Email: sbe...@wrberkley.com<mailto:sbe...@wrberkley.com>
>
> Website: https://berkleytechnologyservices.com/
>
>
>
>
> [cid:image040736.jpg@BA9411B9.333ADE5A]
>
> Technology Leadership Unleashing Business Potential
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.
>

I don't know what your security or audit requirements are. These are some 
options off the top of my head.

1. Service account for the user that runs Tomcat You don't run Tomcat as root, 
correct?

You could then have a list of authorized sudoers, use two factor authentication 
(maybe for both the users and the service account), and audit both the service 
account and the sudoers accounts.

Prevent the service account from being accessed directly.

2. Remote logging
This would take care of needing to access log files on the server, but it would 
not allow anyone to audit application-created files.

Speaking of application-created files, I hope that these are not user-provided 
files that are then directly accessible. Without careful auditing, that can 
lead to some pretty serious security breaches.

. . . just my two cents.
/mde/
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

Re: Tomcat SecurityListener

2020-10-12 Thread Mark Eggers 

Shawn,

On 10/12/2020 12:59 PM, Beard, Shawn wrote:

Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by 
default in the catalina.sh file.

This SecurityListener also sets the UMASK of files to 0027. This has the effect 
of any file tomcat creates or the app running in tomcat creates with 
permissions or -rw-r-

This is causing a problem for us as it prevents certain people from being able 
to read log files or read any file the application might create. Putting these 
users in the group of the user that tomcat runs as is not an option.

I’ve tried changing the catalina.sh to set the UMASK to something like 0022 but 
that prevents tomcat from starting with an error that it has to me at least as 
restrictive as 0027.

I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.

I’m hesitant to comment out the loading of the security listener in catalina.sh 
as I don’t want to disable anything else important that it may be doing from a 
security standpoint.

Does anyone have any ideas as to a workaround?
 ​

Shawn   Beard‑ Sr. Systems Engineer

Middleware Engineering

[cid:image624238.png@1BC27BA2.B6427C15]
3840 109th Street   ,   Urbandale   ,   IA  50322

Phone: +1-515-564-2528
Email:  sbe...@wrberkley.com

Website: https://berkleytechnologyservices.com/




[cid:image040736.jpg@BA9411B9.333ADE5A]

Technology Leadership Unleashing Business Potential







CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.



I don't know what your security or audit requirements are. These are 
some options off the top of my head.


1. Service account for the user that runs Tomcat
You don't run Tomcat as root, correct?

You could then have a list of authorized sudoers, use two factor 
authentication (maybe for both the users and the service account), and 
audit both the service account and the sudoers accounts.


Prevent the service account from being accessed directly.

2. Remote logging
This would take care of needing to access log files on the server, but 
it would not allow anyone to audit application-created files.


Speaking of application-created files, I hope that these are not 
user-provided files that are then directly accessible. Without careful 
auditing, that can lead to some pretty serious security breaches.


. . . just my two cents.
/mde/


OpenPGP_0x41466EC60D793C2D.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature

Tomcat SecurityListener

2020-10-12 Thread Beard, Shawn 
Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by 
default in the catalina.sh file.

This SecurityListener also sets the UMASK of files to 0027. This has the effect 
of any file tomcat creates or the app running in tomcat creates with 
permissions or -rw-r-

This is causing a problem for us as it prevents certain people from being able 
to read log files or read any file the application might create. Putting these 
users in the group of the user that tomcat runs as is not an option.

I’ve tried changing the catalina.sh to set the UMASK to something like 0022 but 
that prevents tomcat from starting with an error that it has to me at least as 
restrictive as 0027.

I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.

I’m hesitant to comment out the loading of the security listener in catalina.sh 
as I don’t want to disable anything else important that it may be doing from a 
security standpoint.

Does anyone have any ideas as to a workaround?
​

Shawn   Beard‑ Sr. Systems Engineer

Middleware Engineering

[cid:image624238.png@1BC27BA2.B6427C15]
3840 109th Street   ,   Urbandale   ,   IA  50322

Phone: +1-515-564-2528
Email:  sbe...@wrberkley.com

Website: https://berkleytechnologyservices.com/




[cid:image040736.jpg@BA9411B9.333ADE5A]

Technology Leadership Unleashing Business Potential







CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.