Ubuntu
tomcat5.5 package

Security manager is too restrictive by default.

Bug #74784 reported by Nicolas Ternisien
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat5.5 (Debian)
Invalid
Undecided
Unassigned
tomcat5.5 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: tomcat5.5

If we want to use the default Ubuntu packaging of Tomcat 5.5 server, we need to have less restrictive access on webapps folder and the shared/lib folder.

The Tomcat 5.5 server is launched by the tomcat5 user, so even if these restrictions are less important, the system will still be protected.

Indeed, it's a real hell today to install an web application which needs to right its log file /var/log/<appname>, simply because the security manager is too restrictive. New Tomcat users needs many times before finding the /etc/tomcat5.5/policy.d folder, and find how to modify it to have something that the Linux FS rights already provide.

So I hope that the providen patch will be applied on the /etc/tomcat5.5/policy.d/ folder.

Revision history for this message
Nicolas Ternisien (nicolas-ternisien) wrote :
Revision history for this message
Matti Lindell (mlind) wrote :

I added a Debian bug that is about same/similar subject. You should probably send the patch directly there for a review and possible inclusion.

Changed in tomcat5.5:
status: Unconfirmed → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in tomcat5.5:
status: Unknown → Fix Committed
Revision history for this message
Sebastian Cardello (guindous) wrote :

Debian Etch has a property in /etc/default/tomcat5.5 file that disable all that security. Just set:

TOMCAT5_SECURITY=no

Maybe, i'm not sure, making this option by default it's an easy way to solve this problem.

Revision history for this message
Michael Koch (konqueror) wrote :

I would consider disabling the security manager to be a security issue. Server admins should be aware of this do this explicitely. Disabling this silently is really a bad decision.

Bug Watch Updater (bug-watch-updater)
Changed in tomcat5.5:
status: Fix Committed → Fix Released
Revision history for this message
Sam (sam-halliday) wrote :

This bug report is invalid... Tomcat is the reference implementation of the Servlet framework and if your web application requires additional security permissions, then please read the documentation and add the relevant permissions to the file /etc/tomcat5.5/policy.d/50user.policy for that application. The security policy of Tomcat is mission critical in many cases.

You can start here http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html

Request that this bug report be marked invalid, as it is not a bug.

Changed in tomcat5.5:
status: Confirmed → Invalid
Revision history for this message
Sam (sam-halliday) wrote :

The referenced bug isn't related at all!

Changed in tomcat5.5:
status: New → Invalid
Revision history for this message
Glenn Murray (gmurray-mines) wrote :

This is a valid bug report.

It is much too difficult to get a webapp going out-of-the box. The suggestion to "start" by reading the howto only emphasizes the difficulty and is an unreasonable expectation for an Ubuntu distribution. Note that if you go to the Tomcat website and download and install it manually, that you can have a working implementation immediately. There is no reason Ubuntu should be more restrictive than Apache with Tomcat, especially in comparison to say, MySQL, with its empty root password, or the Apache webserver, which also works out-of the box. The current configuration is a barrier to adoption.

Whether or not Tomcat is a reference implementation is irrelevant.
Whether or not the security policy is "mission critical" is also irrelevant; that is the responsibility of the person running the app, not Ubuntu.

This is an example of free software that needs to be set free.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.