Restrict Tomcat Permissions

TDS User's Guide Restrict Tomcat Permissions

This section demonstrates how to restrict the permissions of Tomcat Servlet Container.

Note: This section assumes you have successfully performed the tasks as outlined in the Getting Started With The TDS section of this tutorial.

Rationale

The JVM doesn’t fork at all, nor does it support setuid() calls. The JVM, and therefore Tomcat, is one process. The JVM is a virtual machine with many threads under the same process.

Because of OS constraints, all threads in the same JVM process must run under the same user id. No thread may run as the root user unless they are all are run as the root user. Hence, any programs run in Tomcat (TDS, manager application, other JSPs and servlets) will run as the root user.
If you choose to run the Tomcat process as the root user and an attacker manages to exploit a weakness in Tomcat or something running in ${tomcat_home}/webapps/ to run arbitrary commands, those commands will be run as the superuser!

Warning: We strongly discourage running Tomcat as the root user and recommend creating an unprivileged, dedicated user and group for running the Tomcat process.

Create A Dedicated User/Group For Running Tomcat

The following example shows creation of a dedicated user/group on a linux system. (Windows and Mac OS users will need to consult their systems administrator regarding user/group creation for those operating systems.)

In this example, both the user and group names will be named tomcat, and the user’s home directory, a.k.a. ${tomcat_home}, is /usr/local/tomcat. Both the groupadd and useradd commands are run as the root user:

# groupadd tomcat
# useradd -g tomcat -d /usr/local/tomcat tomcat

You should see and entry for a tomcat user in your /etc/group file:

tomcat:x:2001:

And something like the following in your /etc/passwd file:

tomcat:x:25945:2001::/usr/local/tomcat:/bin/bash

Restrict Permissions In `${tomcat_home}`

We also recommend restricting the permissions of the Tomcat user/group within ${tomcat_home}.

Change the user/group ownership ${tomcat_home} to the tomcat user and tomcat group:

# cd /usr/local
# chown -R tomcat:tomcat apache-tomcat-8.5.34
# ls -l tomcat
total 148
drwxr-x--- 2 tomcat tomcat  4096 Oct 24 14:22 bin
-rw-r----- 1 tomcat tomcat 19539 Sep  4 16:30 BUILDING.txt
drwx------ 2 tomcat tomcat  4096 Oct 24 15:14 conf
-rw-r----- 1 tomcat tomcat  6090 Sep  4 16:30 CONTRIBUTING.md
drwxr-x--- 2 tomcat tomcat  4096 Oct 24 13:29 lib
-rw-r----- 1 tomcat tomcat 57092 Sep  4 16:30 LICENSE
drwxr-x--- 2 tomcat tomcat  4096 Oct 24 13:41 logs
-rw-r----- 1 tomcat tomcat  1726 Sep  4 16:30 NOTICE
-rw-r----- 1 tomcat tomcat  3255 Sep  4 16:30 README.md
-rw-r----- 1 tomcat tomcat  7142 Sep  4 16:30 RELEASE-NOTES
-rw-r----- 1 tomcat tomcat 16262 Sep  4 16:30 RUNNING.txt
drwxr-x--- 3 tomcat tomcat  4096 Oct 24 14:43 temp
drwxr-x--- 8 tomcat tomcat  4096 Oct 24 15:36 webapps
drwxr-x--- 3 tomcat tomcat  4096 Oct 24 13:41 work

Change the user/ownership of the ${tomcat_home}/conf directory to be owned by the root user, have a group of tomcat and have a permission of user/group read only:

 # cd /usr/local/tomcat
 # chown -R root conf
 # ls -l 
 total 148
 drwxr-x--- 2 tomcat tomcat  4096 Oct 24 14:22 bin
 -rw-r----- 1 tomcat tomcat 19539 Sep  4 16:30 BUILDING.txt
 drwx------ 2 root   tomcat  4096 Sep  4 16:30 conf
 -rw-r----- 1 tomcat tomcat  6090 Sep  4 16:30 CONTRIBUTING.md
 drwxr-x--- 2 tomcat tomcat  4096 Oct 24 13:29 lib
 -rw-r----- 1 tomcat tomcat 57092 Sep  4 16:30 LICENSE
 drwxr-x--- 2 tomcat tomcat  4096 Oct 24 13:41 logs
 -rw-r----- 1 tomcat tomcat  1726 Sep  4 16:30 NOTICE
 -rw-r----- 1 tomcat tomcat  3255 Sep  4 16:30 README.md
 -rw-r----- 1 tomcat tomcat  7142 Sep  4 16:30 RELEASE-NOTES
 -rw-r----- 1 tomcat tomcat 16262 Sep  4 16:30 RUNNING.txt
 drwxr-x--- 3 tomcat tomcat  4096 Oct 24 14:43 temp
 drwxr-x--- 8 tomcat tomcat  4096 Oct 24 15:36 webapps
 drwxr-x--- 3 tomcat tomcat  4096 Oct 24 13:41 work

Give the tomcat group write/execute permissions for the ${tomcat_home}/conf directory.

 # chmod 750 conf
 # ls -l 
 total 148
 drwxr-x--- 2 tomcat tomcat  4096 Oct 24 14:22 bin
 -rw-r----- 1 tomcat tomcat 19539 Sep  4 16:30 BUILDING.txt
 drwxr-x--- 2 root   tomcat  4096 Sep  4 16:30 conf
 -rw-r----- 1 tomcat tomcat  6090 Sep  4 16:30 CONTRIBUTING.md
 drwxr-x--- 2 tomcat tomcat  4096 Oct 24 13:29 lib
 -rw-r----- 1 tomcat tomcat 57092 Sep  4 16:30 LICENSE
 drwxr-x--- 2 tomcat tomcat  4096 Oct 24 13:41 logs
 -rw-r----- 1 tomcat tomcat  1726 Sep  4 16:30 NOTICE
 -rw-r----- 1 tomcat tomcat  3255 Sep  4 16:30 README.md
 -rw-r----- 1 tomcat tomcat  7142 Sep  4 16:30 RELEASE-NOTES
 -rw-r----- 1 tomcat tomcat 16262 Sep  4 16:30 RUNNING.txt
 drwxr-x--- 3 tomcat tomcat  4096 Oct 24 14:43 temp
 drwxr-x--- 8 tomcat tomcat  4096 Oct 24 15:36 webapps
 drwxr-x--- 3 tomcat tomcat  4096 Oct 24 13:41 work

Change the user/group permissions of the files and subdirectories in ${tomcat_home}/conf directory.

(Depending on the web applications you are running and/or your virtual host configurations, Tomcat may create a ${tomcat_home}/conf/Catalina directory with corresponding subdirectories and files for context information.)

 # cd /usr/local/tomcat/conf
 # find . -type f -print -exec chmod 440 {} \;
 # find . -type d -print -exec chmod 750 {} \;
 # ls -l 
 total 228
 drwxr-x--- 3 root tomcat   4096 Oct 24 13:41 Catalina
 -r--r----- 1 root tomcat  13548 Sep  4 16:30 catalina.policy
 -r--r----- 1 root tomcat   7746 Sep  4 16:30 catalina.properties
 -r--r----- 1 root tomcat   1338 Sep  4 16:30 context.xml
 -r--r----- 1 root tomcat   1149 Sep  4 16:30 jaspic-providers.xml
 -r--r----- 1 root tomcat   2313 Sep  4 16:30 jaspic-providers.xsd
 -r--r----- 1 root tomcat   3622 Sep  4 16:30 logging.properties
 -r--r----- 1 root tomcat   7511 Sep  4 16:30 server.xml
 -r--r----- 1 root tomcat   1993 Oct 24 15:14 tomcat-users.xml
 -r--r----- 1 root tomcat   2633 Sep  4 16:30 tomcat-users.xsd
 -r--r----- 1 root tomcat 169322 Sep  4 16:30 web.xml

Change the user/ownership of the ${tomcat_home}/bin and ${tomcat_home}/lib directories to be owned by the root user and have a group of tomcat:

 # cd /usr/local/tomcat
 # chown -R root lib
 # chown -R root bin
 # ls -l
 total 144
 drwxr-x--- 2 root   tomcat  4096 Oct 24 17:39 bin
 -rw-r----- 1 tomcat tomcat 19539 Sep  4 16:30 BUILDING.txt
 drwxr-x--- 2 root   tomcat  4096 Sep  4 16:30 conf
 -rw-r----- 1 tomcat tomcat  6090 Sep  4 16:30 CONTRIBUTING.md
 drwxr-x--- 2 root   tomcat  4096 Oct 24 17:38 lib
 -rw-r----- 1 tomcat tomcat 57092 Sep  4 16:30 LICENSE
 drwxr-x--- 2 tomcat tomcat  4096 Sep  4 16:28 logs
 -rw-r----- 1 tomcat tomcat  1726 Sep  4 16:30 NOTICE
 -rw-r----- 1 tomcat tomcat  3255 Sep  4 16:30 README.md
 -rw-r----- 1 tomcat tomcat  7142 Sep  4 16:30 RELEASE-NOTES
 -rw-r----- 1 tomcat tomcat 16262 Sep  4 16:30 RUNNING.txt
 drwxr-x--- 2 tomcat tomcat  4096 Oct 24 17:38 temp
 drwxr-x--- 7 tomcat tomcat  4096 Oct 24 17:39 webapps
 drwxr-x--- 2 tomcat tomcat  4096 Sep  4 16:28 work

Important: If you are not planning to use the Tomcat Manager application, you may consider changing the ownership of the files in the webapps directory to belong to another under-privileged user.

Change the user/group permissions of the TDS $CONTENT_ROOT directory to give the tomcat user and tomcat group permissions to write content ($CONTENT_ROOT is /data/content in this example):
```
 # cd /data
 # chown -R tomcat:tomcat content
 # ls -l
 total 144
 drwxr-x--- 3 tomcat tomcat  4096 Oct 24 17:43 content
```

Resources

Tomcat as root and security issues A lengthy thread in the tomcat-users mailing list archives dedicated to the perils of running Tomcat as the root user.

Rationale

Create A Dedicated User/Group For Running Tomcat

Restrict Permissions In ${tomcat_home}

Resources

Restrict Permissions In `${tomcat_home}`