Re: Tomcat log files - Strict permissions - setuid
On Thu, Dec 03, 2015 at 10:42:40AM -0300, Andres Riancho wrote: > List, > > I'm trying to secure my tomcat instances. One of the steps I took > was to run the tomcat process using the non-privileged "tomcat" user, > and set the file system permissions as restrictive as possible. It all > works well, but there is something missing: "The tomcat user is able > to read the access log files": > > root@7083cdc8e2fc:/apps/tomcat/logs# ls -la > ... > -rw-rw 1 tomcat tomcat0 Dec 1 19:46 > 0.0.0.0_access_log.2015-12-01.txt One fancier approach would be to configure a log sink which passes records to another process through a socket -- syslog, for example. There are syslog Handler implementations for java.util.logging, or you could cook up a custom log recorder to receive from the stock j.u.l.SocketHandler, or you could configure Tomcat to use slf4j/logback and its syslog appender. This will not be simple but it will be quite adaptable. You should probably look at simpler methods first. > Is there any way to configure tomcat to be able to write to the > access log file, but have the file owned by root with permissions 600? > I understand that this is done by starting the tomcat process as root > and then dropping privileges using setuid() , but was unable to find > something already built / well documented. That is what the Commons Daemon tool (jsvc) is for. That should be a lot simpler. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
Re: Tomcat log files - Strict permissions - setuid
Andres, On 12/3/15 8:42 AM, Andres Riancho wrote: > List, > > I'm trying to secure my tomcat instances. One of the steps I took > was to run the tomcat process using the non-privileged "tomcat" user, > and set the file system permissions as restrictive as possible. It all > works well, but there is something missing: "The tomcat user is able > to read the access log files": > > root@7083cdc8e2fc:/apps/tomcat/logs# ls -la > ... > -rw-rw 1 tomcat tomcat0 Dec 1 19:46 > 0.0.0.0_access_log.2015-12-01.txt > > Is there any way to configure tomcat to be able to write to the > access log file, but have the file owned by root with permissions 600? > I understand that this is done by starting the tomcat process as root > and then dropping privileges using setuid() , but was unable to find > something already built / well documented. How do you launch Tomcat? If you use the scripts, you could use something like bin/setenv.sh to check the permissions of the log files and refuse to start if they aren't the way you want them. For files that don't already exist, you'll have to refuse to start if they don't exist, because a process can't create a new file owned by another user. You'd have to disable file-rotation because of the same problem. Are you more worried about a hostile web application running within your server, a hostile remote user, a vulnerability in a web application, or a vulnerability in Tomcat? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat log files - Strict permissions - setuid
List, I'm trying to secure my tomcat instances. One of the steps I took was to run the tomcat process using the non-privileged "tomcat" user, and set the file system permissions as restrictive as possible. It all works well, but there is something missing: "The tomcat user is able to read the access log files": root@7083cdc8e2fc:/apps/tomcat/logs# ls -la ... -rw-rw 1 tomcat tomcat0 Dec 1 19:46 0.0.0.0_access_log.2015-12-01.txt Is there any way to configure tomcat to be able to write to the access log file, but have the file owned by root with permissions 600? I understand that this is done by starting the tomcat process as root and then dropping privileges using setuid() , but was unable to find something already built / well documented. Ideas? Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org