Tomcat - Minimum directory (not LDAP) permissions required for PWM
94 views
Skip to first unread message
Andy
Jan 29, 2013, 11:21:59 AM1/29/13
to pwm-general
Hi
I've set up and had working a copy of PWM 1.6.4 using Java 1.7.0_11-
b21 and Tomcat 7.0.35 (installed using the windows service installer)
on Windows 2008 R2 SP1.
I'm now attempting to secure the installation further and see that
it's widely recommended not to run Tomcat as the default Local System
account.
I have therefore created a local user on the server and granted it
permissions as follows:
CATALINA_HOME - Read & Execute/List folder contents/Read
CATALINA_HOME\logs - Read & Execute/List folder contents/Read/Modify/
Write
CATALINA_HOME\temp - Read & Execute/List folder contents/Read/Modify/
Write
CATALINA_HOME\work - Read & Execute/List folder contents/Read/Modify/
Write
I believe it is also recommended that this account only has Read
access to applications in the webapps directory. The exception to
this should be where the application itself has some functionality
that requires it to write to specific directories - as is the case
with PWM as far as I can tell.
I have so far identified that the user account requires permissions to
write/modify the PwmConfiguration.xml file and (I'm guessing the
whole) contents of \pwm\WEB-INF\pwmDB.
I've currently granted the local user Read & Execute/List folder
contents/Read/Modify/Write permissions to \pwm\WEB-INF directory and
this appears to have allowed PWM to function correctly. However I'm
concerned that I've now opened up the one bit of the application that
you actually would want to secure i.e. the config.
Does anyone know the minimum permissions that are required and on
which files/directories these permissions are required? Can it be
tied down to specific files or are the permissions required at WEB-INF
level?
I appreciate that in order for the Config Manager to work it's going
to need to be able to write the config out somewhere. So, are there a
set of permissions that are required only whilst configuring using the
Config Manager as oppose to when it's in production use and the config
is locked? Perhaps these can be removed after configuration is
compete?
Thanks in advance for any advice
Andy
I've set up and had working a copy of PWM 1.6.4 using Java 1.7.0_11-
b21 and Tomcat 7.0.35 (installed using the windows service installer)
on Windows 2008 R2 SP1.
I'm now attempting to secure the installation further and see that
it's widely recommended not to run Tomcat as the default Local System
account.
I have therefore created a local user on the server and granted it
permissions as follows:
CATALINA_HOME - Read & Execute/List folder contents/Read
CATALINA_HOME\logs - Read & Execute/List folder contents/Read/Modify/
Write
CATALINA_HOME\temp - Read & Execute/List folder contents/Read/Modify/
Write
CATALINA_HOME\work - Read & Execute/List folder contents/Read/Modify/
Write
I believe it is also recommended that this account only has Read
access to applications in the webapps directory. The exception to
this should be where the application itself has some functionality
that requires it to write to specific directories - as is the case
with PWM as far as I can tell.
I have so far identified that the user account requires permissions to
write/modify the PwmConfiguration.xml file and (I'm guessing the
whole) contents of \pwm\WEB-INF\pwmDB.
I've currently granted the local user Read & Execute/List folder
contents/Read/Modify/Write permissions to \pwm\WEB-INF directory and
this appears to have allowed PWM to function correctly. However I'm
concerned that I've now opened up the one bit of the application that
you actually would want to secure i.e. the config.
Does anyone know the minimum permissions that are required and on
which files/directories these permissions are required? Can it be
tied down to specific files or are the permissions required at WEB-INF
level?
I appreciate that in order for the Config Manager to work it's going
to need to be able to write the config out somewhere. So, are there a
set of permissions that are required only whilst configuring using the
Config Manager as oppose to when it's in production use and the config
is locked? Perhaps these can be removed after configuration is
compete?
Thanks in advance for any advice
Andy
Menno Pieters
Jan 30, 2013, 1:50:01 AM1/30/13
to pwm-g...@googlegroups.com
PWM needs, indeed to write the pwmDB and PwmConfiguration.xml. However, after you have finalized and locked the PwmConfiguration.xml, it will only need read access to this file. Tomcat may want to be able to write to the temp, work and log directories of the tomcat installation. If you deploy manually, that is all you installation needs to write, the rest can be read-only.
Regards,
Menno
Regards,
Menno
Andy
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Andy
Jan 30, 2013, 4:01:02 AM1/30/13
to pwm-general
That's great.
Thanks for the quick response.
Thanks for the quick response.
Reply all
Reply to author
Forward
0 new messages