Security Lifecycle Listener

posted by mthomas on July 20, 2011 07:18 AM

Apache Tomcat 7 includes several security updates that further harden the application server that came directly from the Bugzilla queue. One new feature, the Security Lifecycle Listener, helps ensure that Tomcat is started in a reasonably secure way.

Preventing Tomcat Running as Root

One user cited that while all administrators worth their salt should know that it is irresponsible and incredibly insecure to run Tomcat as the root user to the system, Tomcat still allows the server to start under root. Although this problem is largely contained to Linux systems, the fix had to be applicable to all operating systems. Therefore, the fix that was implemented was to create a list of users that are not allowed to start Tomcat. Tomcat checks to see if it is running as one of those users, and if it is, it shuts itself down.

Securing Tomcat Files

A secondary check after the user is validated as a secure user, is to check that any files written by Tomcat (such the contents of an expanded WAR) are created securely. As a minimum, these files must not be world writeable. In some environments it may be desirable to restrict this even further such as read/write for owner, no access for anyone else. The permissions for created files are controlled by the current user's umask. If the umask is not restrictive enough on the running user, this too will prevent Tomcat from starting.

Configuring the Security Lifecycle Listener

The Security Lifecycle Listener is not enabled by default. To enable it, you must uncomment the listener in $CATALINA_BASE/conf/server.xml. To secure the files as well, Tomcat needs access to the umask. To do this, you'll need to uncomment the line for umask in $CATALINA_HOME/bin/catalina.sh.For more information on the Security Lifecycle Listener Component see the official documentation at http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html.

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.