Tomcat SecurityListener

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat SecurityListener

Beard, Shawn M.

Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by default in the catalina.sh file.

 

This SecurityListener also sets the UMASK of files to 0027. This has the effect of any file tomcat creates or the app running in tomcat creates with permissions or -rw-r-----

 

This is causing a problem for us as it prevents certain people from being able to read log files or read any file the application might create. Putting these users in the group of the user that tomcat runs as is not an option.

 

I’ve tried changing the catalina.sh to set the UMASK to something like 0022 but that prevents tomcat from starting with an error that it has to me at least as restrictive as 0027.

 

I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.

 

I’m hesitant to comment out the loading of the security listener in catalina.sh as I don’t want to disable anything else important that it may be doing from a security standpoint.

 

Does anyone have any ideas as to a workaround?

    
Shawn  Beard  ‑ Sr. Systems Engineer
Middleware Engineering
3840 109th Street Urbandale IA  50322
Phone: <a href="tel:&#43;1-515-564-2528" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#000001;">+1-515-564-2528
Email:  [hidden email]
Website: https://berkleytechnologyservices.com/
Technology Leadership Unleashing Business Potential

 
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SecurityListener

Mark Eggers
Shawn,

On 10/12/2020 12:59 PM, Beard, Shawn wrote:

> Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by default in the catalina.sh file.
>
> This SecurityListener also sets the UMASK of files to 0027. This has the effect of any file tomcat creates or the app running in tomcat creates with permissions or -rw-r-----
>
> This is causing a problem for us as it prevents certain people from being able to read log files or read any file the application might create. Putting these users in the group of the user that tomcat runs as is not an option.
>
> I’ve tried changing the catalina.sh to set the UMASK to something like 0022 but that prevents tomcat from starting with an error that it has to me at least as restrictive as 0027.
>
> I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.
>
> I’m hesitant to comment out the loading of the security listener in catalina.sh as I don’t want to disable anything else important that it may be doing from a security standpoint.
>
> Does anyone have any ideas as to a workaround?
>      ​
>
> Shawn   Beard    ‑ Sr. Systems Engineer
>
> Middleware Engineering
>
> [cid:image624238.png@1BC27BA2.B6427C15]
> 3840 109th Street       ,       Urbandale       ,       IA      50322
>
> Phone: +1-515-564-2528<tel:+1-515-564-2528>
> Email:  [hidden email]<mailto:[hidden email]>
>
> Website: https://berkleytechnologyservices.com/
>
>
>
>
> [cid:image040736.jpg@BA9411B9.333ADE5A]
>
> Technology Leadership Unleashing Business Potential
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
>
I don't know what your security or audit requirements are. These are
some options off the top of my head.

1. Service account for the user that runs Tomcat
You don't run Tomcat as root, correct?

You could then have a list of authorized sudoers, use two factor
authentication (maybe for both the users and the service account), and
audit both the service account and the sudoers accounts.

Prevent the service account from being accessed directly.

2. Remote logging
This would take care of needing to access log files on the server, but
it would not allow anyone to audit application-created files.

Speaking of application-created files, I hope that these are not
user-provided files that are then directly accessible. Without careful
auditing, that can lead to some pretty serious security breaches.

. . . just my two cents.
/mde/

OpenPGP_0x41466EC60D793C2D.asc (4K) Download Attachment
OpenPGP_signature (505 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Tomcat SecurityListener [EXTERNAL]

Beard, Shawn M.
No they are not user provided files. There is an application running in tomcat that does some batch processing and it generates files to be published to other systems. However we are migrating from WebSphere to Tomcat and they need to see the files for now to make sure the content of the file is correct.



Shawn​          Beard

Sr. Systems Engineer     |
        BTS

Middleware Engineering   |      +1-515-564-2528<tel:+1-515-564-2528>     |      [hidden email]<mailto:[hidden email]>









-----Original Message-----
From: Mark Eggers <[hidden email]>
Sent: Monday, October 12, 2020 3:35 PM
To: [hidden email]
Subject: Re: Tomcat SecurityListener [EXTERNAL]

Shawn,

On 10/12/2020 12:59 PM, Beard, Shawn wrote:

> Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by default in the catalina.sh file.
>
> This SecurityListener also sets the UMASK of files to 0027. This has
> the effect of any file tomcat creates or the app running in tomcat
> creates with permissions or -rw-r-----
>
> This is causing a problem for us as it prevents certain people from being able to read log files or read any file the application might create. Putting these users in the group of the user that tomcat runs as is not an option.
>
> I’ve tried changing the catalina.sh to set the UMASK to something like 0022 but that prevents tomcat from starting with an error that it has to me at least as restrictive as 0027.
>
> I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.
>
> I’m hesitant to comment out the loading of the security listener in catalina.sh as I don’t want to disable anything else important that it may be doing from a security standpoint.
>
> Does anyone have any ideas as to a workaround?
> ​
>
> Shawn Beard ‑ Sr. Systems Engineer
>
> Middleware Engineering
>
> [cid:image624238.png@1BC27BA2.B6427C15]
> 3840 109th Street , Urbandale , IA 50322
>
> Phone: +1-515-564-2528<tel:+1-515-564-2528>
> Email: [hidden email]<mailto:[hidden email]>
>
> Website: https://berkleytechnologyservices.com/
>
>
>
>
> [cid:image040736.jpg@BA9411B9.333ADE5A]
>
> Technology Leadership Unleashing Business Potential
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
>

I don't know what your security or audit requirements are. These are some options off the top of my head.

1. Service account for the user that runs Tomcat You don't run Tomcat as root, correct?

You could then have a list of authorized sudoers, use two factor authentication (maybe for both the users and the service account), and audit both the service account and the sudoers accounts.

Prevent the service account from being accessed directly.

2. Remote logging
This would take care of needing to access log files on the server, but it would not allow anyone to audit application-created files.

Speaking of application-created files, I hope that these are not user-provided files that are then directly accessible. Without careful auditing, that can lead to some pretty serious security breaches.

. . . just my two cents.
/mde/
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SecurityListener

Christopher Schultz-2
In reply to this post by Beard, Shawn M.
Shawn,

On 10/12/20 15:59, Beard, Shawn wrote:
> Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by
> default in the catalina.sh file.

This comes from server.xml, and it's not "on" by default.

> This SecurityListener also sets the UMASK of files to 0027. This has the
> effect of any file tomcat creates or the app running in tomcat creates
> with permissions or -rw-r-----

This is untrue: SecurityListener does not set any umask (nor can it). It
simply checks the effective umask (as passed into the JVM as a system
property) against a configured minimum.

> This is causing a problem for us as it prevents certain people from
> being able to read log files or read any file the application might
> create. Putting these users in the group of the user that tomcat runs as
> is not an option.

:(

> I’ve tried changing the catalina.sh to set the UMASK to something like
> 0022 but that prevents tomcat from starting with an error that it has to
> me at least as restrictive as 0027.

Do not change catalina.sh. Instead, use $CATALINA_BASE/setenv.sh to set
the UMASK environment variable (which should work).

> I’ve also tried setting the UMASK to 0022 in the setenv.sh with same
> results.

Good. Well, not good. But I mean, good that you are using setenv.sh.

> I’m hesitant to comment out the loading of the security listener in
> catalina.sh as I don’t want to disable anything else important that it
> may be doing from a security standpoint.

It's verifying the minimum umask and that you aren't running as any of
the configured OS usernames (default: "root").

I suspect if you disable the SecurityListener you will find that nothing
changesL: your umask will still be ignored for some reason.

> Does anyone have any ideas as to a workaround?

How are you launching Tomcat?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]