Author: markt
Date: Wed Jan 19 01:01:42 2011
New Revision: 1060643
URL: http://svn.apache.org/viewvc?rev=1060643&view=rev
Log:
Expand the non-Tomcat settings section
Modified:
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1060643&r1=1060642&r2=1060643&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Wed Jan 19 01:01:42 2011
@@ -50,11 +50,25 @@
<section name="Non-Tomcat settings">
<p>Tomcat configuration should not be the only line of defense. The other
components in the system (operating system, network, database, etc.) should
- also be secured. For the operating system, consider limiting the privileges
- of the user under which Tomcat is running and limiting access to Tomcat's
- files by other users. At the network level, consider using a firewall to
- limit both incoming and outgoing connections to only those connections you
- expect to be present.</p>
+ also be secured.</p>
+ <p>Tomcat should not be run under the root user. Create a dedicated user
for
+ the Tomcat process and provide that user with the minimum necessary
+ permissions for the operating system. For example, it should not be
possible
+ to log on remotely using the Tomcat user.</p>
+ <p>File permissions should also be suitable restricted. Taking the Tomcat
+ instances at the ASF as an example (where auto-deployment is disabled and
+ web applications are deployed as exploded directories), the standard
+ configuration is to have all Tomcat files owned by root with group Tomcat
+ and whilst owner has read/write priviliges, group only has read and world
+ has no permissions. The exceptions are the logs, temp and work directory
+ that are owned by the Tomcat user rather than root. This means that even if
+ an attacker compromises the Tomcat process, they can't change the
+ Tomcat configuration, deploy new web applications or modify existing web
+ applications. The Tomcat process runs with a umask of 007 to maintain these
+ permissions.</p>
+ <p>At the network level, consider using a firewall to limit both incoming
+ and outgoing connections to only those connections you expect to be
+ present.</p>
</section>
<section name="Default web applications">
@@ -210,14 +224,15 @@
</subsection>
<subsection name="Valves">
- <p>It is strongly recommended that an AccessLogValve is configured. These
- are normally configured per host but may also be configured per engine or
- per context as required.</p>
+ <p>It is strongly recommended that an AccessLogValve is configured. The
+ default Tomcat configuration includes an AccessLogValve. These are
+ normally configured per host but may also be configured per engine or per
+ context as required.</p>
<p>Any administrative application should be protected by a
RemoteAddressValve. (Note that this Valve is also available as a Filter.)
- The <strong>allow</strong> attribute should be used to limit access to a
set of known
- trusted hosts.</p>
+ The <strong>allow</strong> attribute should be used to limit access to a
+ set of known trusted hosts.</p>
<p>The default ErrorReportValve includes the Tomcat version number in the
response sent to clients. To avoid this, custom error handling can be
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
