Date: Thu, 14 Jul 2005 07:14:20 GMT From: jan grant <jan.grant@bristol.ac.uk> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/83434: tomcat ports give the wrong ownership to their installed executables Message-ID: <200507140714.j6E7EKPS079305@www.freebsd.org> Resent-Message-ID: <200507140720.j6E7KGIm050124@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83434 >Category: ports >Synopsis: tomcat ports give the wrong ownership to their installed executables >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jul 14 07:20:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: jan grant >Release: 5-STABLE >Organization: University of Bristol >Environment: FreeBSD tribble.ilrt.bris.ac.uk 5.4-STABLE FreeBSD 5.4-STABLE #0: Thu Jun 16 13:59:43 BST 2005 cmjg@tribble.ilrt.bris.ac.uk:/external/usr.obj/usr/src/sys/JAN i386 (essentially GENERIC) >Description: The tomcat processes, as installed, run as the user/group www:www. This is fine. However, looking at the ports (all of the tomcat ports, and this problem extends to other java ports too), the install scripts are overly generous in giving away installed files to www:www. This is problematic because it means that the process (and, in the absence of a properly-configured policy file - note jboss ports install a policy file, but it permits "anything") can write to its own executables - including the "tomcat50ctl" file. Thus, malicious webapps can "leak" out and corrupt their container. It's not really an example of "defense in depth". Additionally, you're at risk from any other process running under www:www - for example, a CGI script. >How-To-Repeat: Install any jakarta-tomcat, or jboss (or possibly other, that's as far as I've checked) port. >Fix: The first permission problem is pretty straightforward, and can be fixed by only giving the tomcat user (www:www) ownership to the webapps, work, temp and logs subdirectories - everything else can be owned by root. When it comes to it, a slightly smarter tomcat*ctl program can be made suid root rather than sugid www:www; capturing the tomcat process PID isn't overly difficult. Fixing the "executable" parts of the tomcat, jboss installations to be immutable to non-root users would be a great start however. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507140714.j6E7EKPS079305>