search

jhu-idc / iDC-general

Contains non-code-base specific tickets relating to the Islandora8 for Digital Collection project
0 stars 0 forks source link

Update Cantaloupe container permissions #455

Closed birkland closed 2 years ago

birkland commented 2 years ago

The tomcat documentation has an entire section regarding Security Considerations. As an example of security outside of tomcat settings, the file permissions for the tomcat directory can be further locked down. The tomcat user does not need read/write access to the entire tomcat directory. File permissions settings in the build kit could be changed to something more like:

chgrp -R tomcat /opt/tomcat && \
chown -R tomcat:tomcat /opt/tomcat && \
chown -R tomcat:tomcat /opt/tomcat/logs/  && \
chown -R tomcat:tomcat /opt/tomcat/temp/ && \
chown -R tomcat:tomcat /opt/tomcat/work/
bseeger commented 2 years ago

Starting point due to the current line:

chown -R tomcat:tomcat /opt/tomcat

bash-5.1# tree -L 2 -pug
.
├── [-rw-r----- tomcat   tomcat  ]  BUILDING.txt
├── [-rw-r----- tomcat   tomcat  ]  CONTRIBUTING.md
├── [-rw-r----- tomcat   tomcat  ]  LICENSE
├── [-rw-r----- tomcat   tomcat  ]  NOTICE
├── [-rw-r----- tomcat   tomcat  ]  README.md
├── [-rw-r----- tomcat   tomcat  ]  RELEASE-NOTES
├── [-rw-r----- tomcat   tomcat  ]  RUNNING.txt
├── [drwxr-x--- tomcat   tomcat  ]  bin
│   ├── [-rw-r----- tomcat   tomcat  ]  bootstrap.jar
│   ├── [-rw-r----- tomcat   tomcat  ]  catalina-tasks.xml
│   ├── [-rw-r----- tomcat   tomcat  ]  catalina.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  catalina.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  ciphers.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  ciphers.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  commons-daemon-native.tar.gz
│   ├── [-rw-r----- tomcat   tomcat  ]  commons-daemon.jar
│   ├── [-rw-r----- tomcat   tomcat  ]  configtest.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  configtest.sh
│   ├── [-rwxr-x--- tomcat   tomcat  ]  daemon.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  digest.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  digest.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  makebase.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  makebase.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  setclasspath.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  setclasspath.sh
│   ├── [-rw-r--r-- tomcat   tomcat  ]  setenv.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  shutdown.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  shutdown.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  startup.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  startup.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  tomcat-juli.jar
│   ├── [-rw-r----- tomcat   tomcat  ]  tomcat-native.tar.gz
│   ├── [-rw-r----- tomcat   tomcat  ]  tool-wrapper.bat
│   ├── [-rwxr-x--- tomcat   tomcat  ]  tool-wrapper.sh
│   ├── [-rw-r----- tomcat   tomcat  ]  version.bat
│   └── [-rwxr-x--- tomcat   tomcat  ]  version.sh
├── [drwx------ tomcat   tomcat  ]  conf
├── [drwxr-x--- tomcat   tomcat  ]  lib
├── [drwxr-x--- tomcat   tomcat  ]  logs
│   ├── [lrwxrwxrwx root     root    ]  cantaloupe.access.log -> /dev/stdout
│   ├── [-rw-r----- tomcat   tomcat  ]  cantaloupe.application.log
│   ├── [lrwxrwxrwx root     root    ]  cantaloupe.error.log -> /dev/stderr
│   └── [-rw-r----- tomcat   tomcat  ]  localhost_access_log.2021-12-13.txt
├── [drwxr-x--- tomcat   tomcat  ]  temp
│   └── [-rw-r----- tomcat   tomcat  ]  safeToDelete.tmp
├── [drwxr-x--- tomcat   tomcat  ]  webapps
│   ├── [drwxr-x--- tomcat   tomcat  ]  ROOT
│   ├── [drwxr-xr-x tomcat   tomcat  ]  cantaloupe
│   ├── [drwxr-x--- tomcat   tomcat  ]  host-manager
│   └── [drwxr-x--- tomcat   tomcat  ]  manager
└── [drwxr-x--- tomcat   tomcat  ]  work
    └── [drwxr-x--- tomcat   tomcat  ]  Catalina
bseeger commented 2 years ago

I'm trying to change the permissions here, but am running into the server not starting up when I tighten down the dir permissions.

Here's where I'm currently at with the cantaloupe Dockerfile, but for whatever reason cantaloupe can't access the logs:

    chown tomcat:tomcat /data && \
    chown -R root:tomcat /opt/tomcat && \
    chown -R tomcat:tomcat /opt/tomcat/conf && \
    chown -R tomcat:tomcat /opt/tomcat/logs && \
    chmod -R g+rw /opt/tomcat/logs && \
    chmod -R g+r /opt/tomcat && \
    chmod -R g+rw /opt/tomcat/temp && \
    chmod -R g+rw /opt/tomcat/work && \
    chmod -R g+rw /opt/tomcat/webapps  &&

But can't say for sure that that wasn't happening before.

Some resources:

https://itectec.com/superuser/linux-best-practice-for-access-permission-to-users-for-apache-tomcat/

I was trying to model the setup like this, based on apache tomcat 9 docs: 

File permissions should also be suitably restricted. In the .tar.gz distribution, files and directories are not world readable and the group does not have write access. On Unix like operating systems, Tomcat runs with a default umask of 0027 to maintain these permissions for files created while Tomcat is running (e.g. log files, expanded WARs, etc.).

Taking the Tomcat instances at the ASF as an example (where auto-deployment is disabled and web applications are deployed as exploded directories), the standard configuration is to have all Tomcat files owned by root with group Tomcat and whilst owner has read/write privileges, group only has read and world has no permissions. The exceptions are the logs, temp and work directory that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they can't change the Tomcat configuration, deploy new web applications or modify existing web applications. The Tomcat process runs with a umask of 007 to maintain these permissions.

At the network level, consider using a firewall to limit both incoming and outgoing connections to only those connections you expect to be present.

I started with ^^ and backed off when I ran into errors where it said it can't access a file in /conf (not sure why, since the user/group both had read permissions) - the system wouldn't start then. Then I started seeing errors about not being able to access the log file. I wonder if there's more magic going on than I understand.

bseeger commented 2 years ago

It is possible that the log error I was seeing was there before hand and is because of how the files are "forwarded" to be read outside the container. 

cantaloupe_1  | 21:47:13,195 |-ERROR in ch.qos.logback.core.rolling.RollingFileAppender[ErrorRollingFileLog] - openFile(/opt/tomcat/logs/cantaloupe.error.log,true) call failed. java.io.FileNotFoundException: /opt/tomcat/logs/cantaloupe.error.log (Permission denied)
...
cantaloupe_1  | 21:47:13,233 |-ERROR in ch.qos.logback.core.rolling.RollingFileAppender[AccessRollingFileLog] - openFile(/opt/tomcat/logs/cantaloupe.access.log,true) call failed. java.io.FileNotFoundException: /opt/tomcat/logs/cantaloupe.access.log (Permission denied)

This does appear to be the case, so maybe where I've gone with this setup above is actually okay. I'll make a PR in the am for this directory structure.

bseeger commented 2 years ago

Resolved with: https://github.com/jhu-idc/idc-isle-buildkit/pull/102