No they are not user provided files. There is an application running in tomcat
that does some batch processing and it generates files to be published to other
systems. However we are migrating from WebSphere to Tomcat and they need to see
the files for now to make sure the content of the file is correct.
Shawn Beard
Sr. Systems Engineer |
BTS
Middleware Engineering | +1-515-564-2528<tel:+1-515-564-2528> |
sbe...@wrberkley.com<mailto:sbe...@wrberkley.com>
-----Original Message-----
From: Mark Eggers <its_toas...@yahoo.com.INVALID>
Sent: Monday, October 12, 2020 3:35 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat SecurityListener [EXTERNAL]
Shawn,
On 10/12/2020 12:59 PM, Beard, Shawn wrote:
> Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by
> default in the catalina.sh file.
>
> This SecurityListener also sets the UMASK of files to 0027. This has
> the effect of any file tomcat creates or the app running in tomcat
> creates with permissions or -rw-r-----
>
> This is causing a problem for us as it prevents certain people from being
> able to read log files or read any file the application might create. Putting
> these users in the group of the user that tomcat runs as is not an option.
>
> I’ve tried changing the catalina.sh to set the UMASK to something like 0022
> but that prevents tomcat from starting with an error that it has to me at
> least as restrictive as 0027.
>
> I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.
>
> I’m hesitant to comment out the loading of the security listener in
> catalina.sh as I don’t want to disable anything else important that it may be
> doing from a security standpoint.
>
> Does anyone have any ideas as to a workaround?
>
>
> Shawn Beard ‑ Sr. Systems Engineer
>
> Middleware Engineering
>
> [cid:image624238.png@1BC27BA2.B6427C15]
> 3840 109th Street , Urbandale , IA 50322
>
> Phone: +1-515-564-2528<tel:+1-515-564-2528>
> Email: sbe...@wrberkley.com<mailto:sbe...@wrberkley.com>
>
> Website: https://berkleytechnologyservices.com/
>
>
>
>
> [cid:image040736.jpg@BA9411B9.333ADE5A]
>
> Technology Leadership Unleashing Business Potential
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain
> private, privileged and confidential information belonging to the sender. The
> information therein is solely for the use of the addressee. If your receipt
> of this transmission has occurred as the result of an error, please
> immediately notify us so we can arrange for the return of the documents. In
> such circumstances, you are advised that you may not disclose, copy,
> distribute or take any other action in reliance on the information
> transmitted.
>
I don't know what your security or audit requirements are. These are some
options off the top of my head.
1. Service account for the user that runs Tomcat You don't run Tomcat as root,
correct?
You could then have a list of authorized sudoers, use two factor authentication
(maybe for both the users and the service account), and audit both the service
account and the sudoers accounts.
Prevent the service account from being accessed directly.
2. Remote logging
This would take care of needing to access log files on the server, but it would
not allow anyone to audit application-created files.
Speaking of application-created files, I hope that these are not user-provided
files that are then directly accessible. Without careful auditing, that can
lead to some pretty serious security breaches.
. . . just my two cents.
/mde/
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain
private, privileged and confidential information belonging to the sender. The
information therein is solely for the use of the addressee. If your receipt of
this transmission has occurred as the result of an error, please immediately
notify us so we can arrange for the return of the documents. In such
circumstances, you are advised that you may not disclose, copy, distribute or
take any other action in reliance on the information transmitted.
