On 2014-03-13 11:57 AM, André Warnier wrote:
Yes, I cannot really think off-hand of any serious problem that this may
cause.
Basically, it all depends on the context.
If this is a one-off thing that you are doing, on your personal website,
on a server on which there is no really critical information and which
is not open to all on the Internet etc.. then it is one context.
You still have to be a bit careful so that this does not make your
server into an ideal base for a hacker, to use it to do nasty things
elsewhere.
And you don't want to open your site to script kiddies who have nothing
better to do in life than crashing other people's work (there are people
like that).
But it is not critical.
This is not my context.
Another context entirely is if this is a professional website
This is my context.
that you are setting up for an important customer which you cannot afford to
lose,
This is not my context. The website is for my company.
or if this is a "design pattern" for an application which you
intend to reproduce hundreds of times in the future.
Maybe not hundreds of times but several times possibly.
In that case, you want something that is airtight, that you can easily
reproduce, update and maintain, and that will work under Windows as well
as Linux.
("umask" for example would not).
That's right.
And you would also want something that is not going to be constantly
flagged as insecure by security audit programs. They may have a set
pattern of permissions that they expect, and they might not like that
your webapp directory is "writeable by group".
I understand. Are you thinking about "tiger"?
Also, there is no guarantee that the webapps directory of a servlet
engine would be writeable at all. It could be located on some read-only
device or filesystem.
This is not my case.
In theory, the webapps directory is supposed to
contain only *code* to be executed and parameters to be read, not
writeable data.
> For a writeable area, the servlet container offers specific writeable
> work directories (for temporary files etc.), which are *not* under the
> ../webapps/ dir.
>
> Your choice.
Only I can add files to the webapp exploded directory.
If the other webapp users upload files on the server it won't be into
the webapp exploded directory.
I hope it won't hurt if I grant the write privilege to the owner group
of the exploded webapp directory...
Otherwise, only "tomcat6" and "root" can write to this directory.
And as "tomcat6" can't have a shell, only "root" can actually do this
(distantly using "WinSCP" or "SCP" in my case and it's not safe to log
in as "root" in these cases).
This is why I added a "simple" user (not "root") to the "tomcat6" group.
Only this "simple" user has the write permission on the exploded webapp
directory as a member of the "tomcat6" group.
Best regards,
--
Léa Massiot
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
