jwklomp <janwillem.kl...@gmail.com> wrote: > >Hello, > >I'm migrating existing applications to Tomcat and setting Tomcat up as >described in the 'Security Configuration Benchmark for Apache Tomcat >5.5/6.0' of the Center of Internet Security. > >The benchmark recommends enabling the Security Manager. However, I'm >experiencing that none of the apps run 'out of the box' with the >Security >Manager enabled. I'm contemplating not activating it, but find it hard >estimate the risk. > >Our Security department is worried that without the Security Manager >enabled, hackers can gain access to restricted packages, take control >over >Tomcat and 'hop' to other applications and machines (so basically this >would >imply activating the Security Manager for all applications). > >My question is: how secure is Tomcat without the Security Manager >enabled >(assuming other points from the CIS benchmark have been implemented). >Is the >Security Manager the guard against 'hopping' to other applications, or >does >Tomcat without the Security Manager already prevent this? > >Regards, Jan-Willem >-- >View this message in context: >http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html >Sent from the Tomcat - User mailing list archive at Nabble.com. > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org
It may have improved but the last time I looked at the CIS recommendations my immediate impression was that it was written by folks with zero to little understanding of Tomcat. Without the security manager, if an application has a serious security vulnerability then an attacker can potentially do anything the user running the Tomcat process can do. This is why you should never run Tomcat as root. With the security manager, the web application runs in a sandbox that further limits what it can do. The problem with the security manager is that if an app is not written to run under a security manager - so it uses doPrivileged() - then you often end up having grant so many permissions that there is no point using the security manager. The other risk is that you miss a necessary permission and break the app. My own view is that unless the app has been written to use a security manager from the beginning the availability risk using one creates is greater than any confidentiality risk that using one mitigates. However, each situation is different. YMMV. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
