From owner-freebsd-java@FreeBSD.ORG Sat Feb 12 11:31:16 2005 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76F7216A4CE for ; Sat, 12 Feb 2005 11:31:16 +0000 (GMT) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id F386A43D53 for ; Sat, 12 Feb 2005 11:31:15 +0000 (GMT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dirg.bris.ac.uk with esmtp (Exim 4.44) id 1CzvUX-0001o5-Po for freebsd-java@freebsd.org; Sat, 12 Feb 2005 11:31:15 +0000 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 4.44) id 1CzvUX-0006qi-82; Sat, 12 Feb 2005 11:31:13 +0000 Date: Sat, 12 Feb 2005 11:31:13 +0000 (GMT) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: freebsd-java@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: -2.8 X-Spam-Level: -- Subject: General security issue with tomcat, jboss (possibly other java ports)? X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2005 11:31:16 -0000 Just noticed that the ports appear to install every tomcat, jboss4, etc, file under /usr/local with ownership www:www; these include the suid tomcat50ctl and jboss4ctl. Since that's the user that the actual jboss, tomcat etc process are launched as (by default), the www user, that struck me as a little risky. That's ok, though, because each of these come with a security policy: [[ > cat /usr/local/jboss4/server/default/conf/server.policy /// ====================================================================== /// // // // JBoss Security Policy // // // /// ====================================================================== /// // $Id: server.policy,v 1.4 2003/08/27 04:31:53 patriot1burke Exp $ grant { // Allow everything for now permission java.security.AllPermission; }; ]] In short, in the spirit of defence in depth, I think more careful use of unix file permissions should be made when installing this software: that is, root:wheel (as is common elsewhere throughout the ports-installed stuff: eg, apache2, which commonly runs as the www:www user). This is especially the case with a server like jboss which permits the dynamic uploading and deployment of new services. Whilst we're at it, I was under the impression that www:www was intended to be a web-process-only (or apache-only) user/group - that is, that only web servicing processes should be in the www group. Looking at jboss4ctl, tomcat50ctl, it appears that these ports extend the semantics of the www group to include "users who should be able to control these web processes". It's not difficult to add a second wwwctl, tomcat50ctl, jboss4ctl, etc group and have the *ctl utilities honour that group membership instead: or alternatively, to simply follow the apache port and require root privileges (or appropriate sudo configuration) to control this server port. Indeed, it's not quite clear why the tomcat, jboss etc. ports reuse this user and group when the creation of new ones is pretty trivial. It's worthwhile pointing out that the security issues with having the jboss stuff in www:www work in the other direction, too: a compromise of (say) a PHP script under apache would permit the modification of the jboss startup scripts in /usr/local/jboss4/bin. If it's simpler I can file a PR with this; thought Id just raise it here first, though, since the fixes are generally pretty straightforward, and I might have missed an obvious reason for doing things this way. Cheers, jan -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287864 or +44 (0)117 9287088 http://ioctl.org/jan/ "...perl has been dead for more than 4 years." - Abigail in the Monastery