From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Jul 14 07:20:17 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2364E16A41C for ; Thu, 14 Jul 2005 07:20:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8CE343D49 for ; Thu, 14 Jul 2005 07:20:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6E7KG5a050125 for ; Thu, 14 Jul 2005 07:20:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6E7KGIm050124; Thu, 14 Jul 2005 07:20:16 GMT (envelope-from gnats) Resent-Date: Thu, 14 Jul 2005 07:20:16 GMT Resent-Message-Id: <200507140720.j6E7KGIm050124@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, jan grant Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E681616A41C for ; Thu, 14 Jul 2005 07:14:20 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id B733F43D46 for ; Thu, 14 Jul 2005 07:14:20 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j6E7EK2r079306 for ; Thu, 14 Jul 2005 07:14:20 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j6E7EKPS079305; Thu, 14 Jul 2005 07:14:20 GMT (envelope-from nobody) Message-Id: <200507140714.j6E7EKPS079305@www.freebsd.org> Date: Thu, 14 Jul 2005 07:14:20 GMT From: jan grant To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: ports/83434: tomcat ports give the wrong ownership to their installed executables X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 07:20:17 -0000 >Number: 83434 >Category: ports >Synopsis: tomcat ports give the wrong ownership to their installed executables >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jul 14 07:20:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: jan grant >Release: 5-STABLE >Organization: University of Bristol >Environment: FreeBSD tribble.ilrt.bris.ac.uk 5.4-STABLE FreeBSD 5.4-STABLE #0: Thu Jun 16 13:59:43 BST 2005 cmjg@tribble.ilrt.bris.ac.uk:/external/usr.obj/usr/src/sys/JAN i386 (essentially GENERIC) >Description: The tomcat processes, as installed, run as the user/group www:www. This is fine. However, looking at the ports (all of the tomcat ports, and this problem extends to other java ports too), the install scripts are overly generous in giving away installed files to www:www. This is problematic because it means that the process (and, in the absence of a properly-configured policy file - note jboss ports install a policy file, but it permits "anything") can write to its own executables - including the "tomcat50ctl" file. Thus, malicious webapps can "leak" out and corrupt their container. It's not really an example of "defense in depth". Additionally, you're at risk from any other process running under www:www - for example, a CGI script. >How-To-Repeat: Install any jakarta-tomcat, or jboss (or possibly other, that's as far as I've checked) port. >Fix: The first permission problem is pretty straightforward, and can be fixed by only giving the tomcat user (www:www) ownership to the webapps, work, temp and logs subdirectories - everything else can be owned by root. When it comes to it, a slightly smarter tomcat*ctl program can be made suid root rather than sugid www:www; capturing the tomcat process PID isn't overly difficult. Fixing the "executable" parts of the tomcat, jboss installations to be immutable to non-root users would be a great start however. >Release-Note: >Audit-Trail: >Unformatted: