Author: markt
Date: Sat Nov 7 20:43:11 2015
New Revision: 1713174
URL: http://svn.apache.org/viewvc?rev=1713174&view=rev
Log:
Tighten up the default file permissions for the .tar.gz distro and on Unix like
operating systems.
Modified:
tomcat/trunk/bin/catalina.sh
tomcat/trunk/build.xml
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/bin/catalina.sh
URL:
http://svn.apache.org/viewvc/tomcat/trunk/bin/catalina.sh?rev=1713174&r1=1713173&r2=1713174&view=diff
==============================================================================
--- tomcat/trunk/bin/catalina.sh (original)
+++ tomcat/trunk/bin/catalina.sh Sat Nov 7 20:43:11 2015
@@ -87,6 +87,8 @@
# LOGGING_MANAGER (Optional) Override Tomcat's logging manager
# Example (all one line)
#
LOGGING_MANAGER="-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
+#
+# UMASK (Optional) Override Tomcat's default UMASK of 0027
# -----------------------------------------------------------------------------
# OS specific support. $var _must_ be set to either true or false.
@@ -236,6 +238,12 @@ if [ -z "$LOGGING_MANAGER" ]; then
LOGGING_MANAGER="-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
fi
+# Set UMASK unless it has been overridden
+if [ -z "$UMASK" ]; then
+ UMASK="0027"
+fi
+umask $UMASK
+
# Uncomment the following line to make the umask available when using the
# org.apache.catalina.security.SecurityListener
#JAVA_OPTS="$JAVA_OPTS
-Dorg.apache.catalina.security.SecurityListener.UMASK=`umask`"
Modified: tomcat/trunk/build.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/build.xml?rev=1713174&r1=1713173&r2=1713174&view=diff
==============================================================================
--- tomcat/trunk/build.xml (original)
+++ tomcat/trunk/build.xml Sat Nov 7 20:43:11 2015
@@ -2508,26 +2508,10 @@ skip.installer property in build.propert
<tar longfile="gnu" compression="gzip"
tarfile="${tomcat.release}/v${version}/bin/${final.name}.tar.gz">
- <tarfileset dir="${tomcat.dist}" mode="755" prefix="${final.name}">
- <include name="bin/catalina.sh" />
- <include name="bin/configtest.sh" />
- <include name="bin/daemon.sh" />
- <include name="bin/digest.sh" />
- <include name="bin/jasper.sh" />
- <include name="bin/jspc.sh" />
- <include name="bin/setclasspath.sh" />
- <include name="bin/startup.sh" />
- <include name="bin/shutdown.sh" />
- <include name="bin/tool-wrapper.sh" />
- <include name="bin/tool-wrapper-using-launcher.sh" />
- <include name="bin/shutdown-using-launcher.sh" />
- <include name="bin/startup-using-launcher.sh" />
- <include name="bin/version.sh" />
- </tarfileset>
- <tarfileset dir="${tomcat.dist}" mode="600" prefix="${final.name}">
+ <tarfileset dir="${tomcat.dist}" dirmode="700" filemode="600"
prefix="${final.name}">
<include name="conf/**" />
</tarfileset>
- <tarfileset dir="${tomcat.dist}" prefix="${final.name}">
+ <tarfileset dir="${tomcat.dist}" dirmode="750" filemode="640"
prefix="${final.name}">
<include name="bin/**" />
<include name="lib/**" />
<include name="logs/**" />
@@ -2562,6 +2546,24 @@ skip.installer property in build.propert
<exclude name="bin/*.exe"/>
<exclude name="bin/*.dll"/>
</tarfileset>
+ <!-- These need to be added after the bin directory is added else the
-->
+ <!-- bin diretcory will pick up the wrong permissions.
-->
+ <tarfileset dir="${tomcat.dist}" dirmode="750" filemode="750"
prefix="${final.name}">
+ <include name="bin/catalina.sh" />
+ <include name="bin/configtest.sh" />
+ <include name="bin/daemon.sh" />
+ <include name="bin/digest.sh" />
+ <include name="bin/jasper.sh" />
+ <include name="bin/jspc.sh" />
+ <include name="bin/setclasspath.sh" />
+ <include name="bin/startup.sh" />
+ <include name="bin/shutdown.sh" />
+ <include name="bin/tool-wrapper.sh" />
+ <include name="bin/tool-wrapper-using-launcher.sh" />
+ <include name="bin/shutdown-using-launcher.sh" />
+ <include name="bin/startup-using-launcher.sh" />
+ <include name="bin/version.sh" />
+ </tarfileset>
</tar>
<hashAndSign file="${tomcat.release}/v${version}/bin/${final.name}.tar.gz"
/>
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1713174&r1=1713173&r2=1713174&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Nov 7 20:43:11 2015
@@ -58,6 +58,13 @@
<update>
Remove support for Comet. (markt)
</update>
+ <update>
+ Tighten up the default file permissions for the <code>.tar.gz</code>
+ distribution so no files or directories are world readable by default.
+ Configure Tomcat to run with a default umask of <code>0027</code> which
+ may be overridden by setting <code>UMASK</code> in
+ <code>setenv.sh</code>. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Catalina">
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1713174&r1=1713173&r2=1713174&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Sat Nov 7 20:43:11 2015
@@ -55,17 +55,22 @@
the Tomcat process and provide that user with the minimum necessary
permissions for the operating system. For example, it should not be
possible
to log on remotely using the Tomcat user.</p>
- <p>File permissions should also be suitably restricted. Taking the Tomcat
- instances at the ASF as an example (where auto-deployment is disabled and
- web applications are deployed as exploded directories), the standard
- configuration is to have all Tomcat files owned by root with group Tomcat
- and whilst owner has read/write privileges, group only has read and world
- has no permissions. The exceptions are the logs, temp and work directory
- that are owned by the Tomcat user rather than root. This means that even if
- an attacker compromises the Tomcat process, they can't change the
- Tomcat configuration, deploy new web applications or modify existing web
- applications. The Tomcat process runs with a umask of 007 to maintain these
- permissions.</p>
+ <p>File permissions should also be suitably restricted. In the
+ <code>.tar.gz</code> distribution, files and directories are not world
+ readable and the group does not have write access. On Unix like operating
+ systems, Tomcat runs with a default umask of <code>0027</code> to maintain
+ these permissions for files created while Tomcat is running (e.g. log
files,
+ expanded WARs, etc.).</p>
+ <p>Taking the Tomcat instances at the ASF as an example (where
+ auto-deployment is disabled and web applications are deployed as exploded
+ directories), the standard configuration is to have all Tomcat files owned
+ by root with group Tomcat and whilst owner has read/write privileges, group
+ only has read and world has no permissions. The exceptions are the logs,
+ temp and work directory that are owned by the Tomcat user rather than root.
+ This means that even if an attacker compromises the Tomcat process, they
+ can't change the Tomcat configuration, deploy new web applications or
+ modify existing web applications. The Tomcat process runs with a umask of
+ 007 to maintain these permissions.</p>
<p>At the network level, consider using a firewall to limit both incoming
and outgoing connections to only those connections you expect to be
present.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
