ports/83434: tomcat ports give the wrong ownership to their installed executables

jan grant jan.grant at bristol.ac.uk
Thu Jul 14 07:20:17 UTC 2005 

>Number:         83434
>Category:       ports
>Synopsis:       tomcat ports give the wrong ownership to their installed executables
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 14 07:20:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     jan grant
>Release:        5-STABLE
>Organization:
University of Bristol
>Environment:
FreeBSD tribble.ilrt.bris.ac.uk 5.4-STABLE FreeBSD 5.4-STABLE #0: Thu Jun 16 13:59:43 BST 2005 cmjg at tribble.ilrt.bris.ac.uk:/external/usr.obj/usr/src/sys/JAN  i386

(essentially GENERIC)
>Description:
The tomcat processes, as installed, run as the user/group www:www. This is fine. However, looking at the ports (all of the tomcat ports, and this problem extends to other java ports too), the install scripts are overly generous in giving away installed files to www:www.

This is problematic because it means that the process (and, in the absence of a properly-configured policy file - note jboss ports install a policy file, but it permits "anything") can write to its own executables - including the "tomcat50ctl" file. Thus, malicious webapps can "leak" out and corrupt their container. It's not really an example of "defense in depth".

Additionally, you're at risk from any other process running under www:www - for example, a CGI script.
>How-To-Repeat:
Install any jakarta-tomcat, or jboss (or possibly other, that's as far as I've checked) port.
>Fix:
The first permission problem is pretty straightforward, and can be fixed by only giving the tomcat user (www:www) ownership to the webapps, work, temp and logs subdirectories - everything else can be owned by root.

When it comes to it, a slightly smarter tomcat*ctl program can be made suid root rather than sugid www:www; capturing the tomcat process PID isn't overly difficult. Fixing the "executable" parts of the tomcat, jboss installations to be immutable to non-root users would be a great start however.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list