Re: [PROPOSAL] Enable SecureLifecycleListener by default

Thu, 06 Jun 2024 09:03:04 -0700 

чт, 6 июн. 2024 г. в 17:46, Christopher Schultz <ch...@christopherschultz.net>:
>
> All,
>
> I'd like to remove the <!-- and --> around the SecureLifecycleListener
> in conf/server.xml that we bundle with Tomcat distributions.
>
> Before I do so, are there any objections to making this change?

Its name is "SecurityListener",
org.apache.catalina.security.SecurityListener

https://tomcat.apache.org/tomcat-11.0-doc/config/listeners.html#Security_Lifecycle_Listener_-_org.apache.catalina.security.SecurityListener

Looking at its checks:

- "checkedOsUsers":
It checks the value of System.getProperty("user.name");

1. On Windows it is useless.
2. It is possible to run as root to be able to bind to port 80. It is
usually done with jsvc (Apache Commons Daemon) and its capability to
drop privileges.

https://commons.apache.org/proper/commons-daemon/jsvc.html#Downgrading_user
https://cwiki.apache.org/confluence/display/TOMCAT/HowTo#HowTo-HowtorunTomcatwithoutrootprivileges?

I wonder what the actual value of "user.name" will be in case of "2.".
The check is performed at "before init" event, thus earlier than jsvc
drops privileges.

- "minimumUmask"
It checks the value of System.getProperty(UMASK_PROPERTY_NAME);
UMASK_PROPERTY_NAME = Constants.PACKAGE + ".SecurityListener.UMASK";

1. On Windows it is useless.
2. The property is set by a startup script. If it is started in a
different way (jsvc / daemon.sh, or directly as a Java application -
as done by Eclipse IDE, as an embedded Tomcat), I expect it to break.

- "buildDateWarningAgeDays"

1. It is disabled by default.
2. It is checked at start time, but actual servers may run years
without a reboot.
3. I wonder how it behaves if Tomcat is embedded in some IOT device.

Thus I wonder whether it is worth enabling it.

(But if we want to get real feedback, enabling it now for Tomcat 11 is
a good starting point.)

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to