Konstantin - Interesting points. See comments in-line. Jeff > -----Original Message----- > From: Konstantin Preißer [mailto:kpreis...@apache.org] > Sent: Wednesday, December 18, 2013 8:18 AM > To: 'Tomcat Users List' > Subject: Some security-related questions / enhancements for the Windows > Installer > > Hi, > > while I normally only use the .zip distributions of Tomcat, I just had > a look at the Windows Service Installer for Tomcat 8.0.0-RC9. > > There are some points related to security which I noticed that could be > improved: > > 1) When installing Tomcat with the Windows Service Installer, it > installs by default in "%ProgramFiles%\Apache Software > Foundation\Tomcat 8.0". A problem that I see here is that this > directory is intended to be the place for binaries of programs that > every user which has an account on this Windows installation should be > able to use. However, by default, Tomcat places not only binaries, but > also data (conf, logs, webapps, work, temp) in this directory (I think > it's possible to run Tomcat with a different data directory by setting > a different CATALINA_BASE env, but the Installer doesn't seem to do > this). > > This means e.g. if you have some passwords in your Tomcat config, every > other user on the server will be able to read them (or, webapp binaries > which you place in the webapps directory, etc.). > Of course, a user which installs a program on the server should know > how to secure the data, but I think a Installer should make sure that > by default, everything is secure. > > So, in this case maybe it could display an option to automatically > adjust file permissions, and if it is selected, adjust the directory > ACLs of the "Tomcat 8" directory to only allow full access for "NT > AUTHORITY\SYSTEM" and "BUILTIN\Administrators", but don't allow read > access for ordinary users. > (For Example, if you install Microsoft SQL Server 2012, it will place > binaries and data files into C:\Program Files\Microsoft SQL Server, but > the setup adjusts the permissions for the DATA directory so that > ordinary users can't access it.) > [Jeff Janner] Not so much of a problem, since in normal usage, only admins should be allowed to login directly into the server, and the Program Files directly is not normally shared to the network. However, it never hurts to tighten the file system security.
> > 2) By default, the installer sets the Tomcat Service to run under the > LocalSystem account which as administrative privileges. > > Normally, Tomcat shouldn't run as root/Administrator user for security > reasons. I think an alternative would be to run as NetworkService which > is a user that exists by default and doesn't have administrative > privileges (i.e. it has only normal user rights) [1]. > AFAIK, this user can only be used for run services, but it cannot be > used with things like the "runas" command so every other user will not > be able to access data with NetworkUser privileges. (This is also done > e.g. by VisualSVN Server - it runs as NetworkService.) > > Note that in this case, if 1) is applied, the installer would need to > additionally give full access to the NetworkService for the "Tomcat 8" > directory. > [Jeff Janner] I would argue for using NT AUTHORITY/LocalService instead. The NetworkService account is less secure as it grants access to other systems in the network using the computer's access credentials. The LocalService generally does not grant access to network resources (actually as "anonymous"), so it is the more secure user, and in general, Tomcat should not be accessing remote file systems anyway. > > 3) When running the installer, it asks for the Server Shutdown port > which has a value of "8005" by default. However, when running Tomcat as > a service, the shutdown port is not needed as the daemon service > wrapper implements the logic to shutdown Tomcat. Shouldn't the shutdown > port in this case automatically set to "-1" to disable it, for security > reasons? Otherwise other users would be able to shutdown Tomcat by > connecting to the shutdown port. > [Jeff Janner] +1 I do this on every install, but most newbies might not know to make the change. > > What do you think? > [Jeff Janner] There's a number of additional changes that could be implemented. For example: The Procrun directory gets created as whatever you put in the Service Name fields, but the display name get set to "Apache Tomcat %release% %service_name%". So, if you install a service name of "DEV" at release 7, and want to keep the name for the 8.0 install and run in parallel, you can't. The display names are OK, but the service name won't be unique and Procrun can't create a separate registry entry for the new version. Perhaps adding the release# to the service name for the Procrun install only would be helpful? Go ahead and sign the installer executable already. That warning on startup is annoying. > > [1] http://msdn.microsoft.com/en- > us/library/windows/desktop/ms684272%28v=vs.85%29.aspx > > > Thanks & Regards, > Konstantin Preißer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
