Bug 83434 - www/jakarta-tomcat ports give the wrong ownership to their installed executables
Summary: www/jakarta-tomcat ports give the wrong ownership to their installed executables
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Sam Lawrance
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-14 08:20 UTC by jan grant
Modified: 2006-02-07 09:01 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jan grant 2005-07-14 08:20:16 UTC 
The tomcat processes, as installed, run as the user/group www:www. This is
fine. However, looking at the ports (all of the tomcat ports, and this problem
extends to other java ports too), the install scripts are overly generous in
giving away installed files to www:www.

This is problematic because it means that the process (and, in the absence of a
properly-configured policy file - note jboss ports install a policy file, but
it permits "anything") can write to its own executables - including the
"tomcat50ctl" file. Thus, malicious webapps can "leak" out and corrupt their
container. It's not really an example of "defense in depth".

Additionally, you're at risk from any other process running under www:www - for
example, a CGI script.

Fix: 

The first permission problem is pretty straightforward, and can be fixed by
only giving the tomcat user (www:www) ownership to the webapps, work, temp and
logs subdirectories - everything else can be owned by root.

When it comes to it, a slightly smarter tomcat*ctl program can be made suid
root rather than sugid www:www; capturing the tomcat process PID isn't overly
difficult. Fixing the "executable" parts of the tomcat, jboss installations to
be immutable to non-root users would be a great start however.
How-To-Repeat: Install any jakarta-tomcat, or jboss (or possibly other, that's as far as I've
checked) port.
Comment 1 Herve Quiroz freebsd_committer freebsd_triage 2005-07-17 15:13:52 UTC 
State Changed
From-To: open->feedback

Maintainer and community feedback requested.
Comment 2 Herve Quiroz freebsd_committer freebsd_triage 2005-07-17 15:13:52 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->freebsd-java

Over to the FreeBSD Java community. I'll be the one in charge of this PR 
anyway.
Comment 3 Herve Quiroz freebsd_committer freebsd_triage 2005-10-18 16:44:20 UTC 
State Changed
From-To: feedback->open
Comment 4 Herve Quiroz freebsd_committer freebsd_triage 2005-10-18 16:44:20 UTC 
Responsible Changed
From-To: freebsd-java->hq

I'll handle this. 

This is the last improvement to be applied to www/jakarta-tomcat55 before we 
merge back all recent improvements into other Tomcat ports.
Comment 5 Sam Lawrance freebsd_committer freebsd_triage 2006-01-26 01:20:10 UTC 
Responsible Changed
From-To: hq->lawrance

With hq's permission, handle this PR.
Comment 6 Sam Lawrance freebsd_committer freebsd_triage 2006-02-07 08:59:33 UTC 
State Changed
From-To: open->closed

This changed was committed to tomcat 4, 4.1, 5, and 5.5. 

After some advice and experimentation, I settled on installing 
the conf/, logs/, temp/, and work/ directories as the WWW user. 

Please report back any issues. 

Thanks for your submission!