Minimum permissions for Tomcat's conf directory

Installation Forum (Inactive)
Minimum permissions for Tomcat's conf directory jmikk  2016-12-21 10:23
Status: Closed
 
On Linux, is it possible to run LabKey with Tomcat's conf directory as read-only? It is usually recommended to make this directory read-only (The user running Tomcat is the owner of this directory and its contents, with permissions 0400)? I've tried it out and was unable to reach LabKey's homepage and had to revert back to 0740, but I would still like to restrict how the configuration files are able to be accessed and changed by outside users.

Thanks!
 
 
Jon (LabKey DevOps) responded:  2016-12-21 13:37
Hi,

Only certain files can run as read-only. Others have to be setup as read+write or read+execute due to the nature of the specific file.

Is there any chance you can provide us with the catalina.out (or catalina.log) file and the labkey.log file that resides in the logs directory in Tomcat along with the time when you tried to reach the homepage of LabKey before it failed? We can see what happened in the logs and confirm what occurred.

I'm including an example of one of our own directory structures for a hosted version of LabKey. As you can see, the only users are tomcat and root and within the conf directory, only some files are read vs read+write vs read+execute. Our hosted servers prevent people from being able to access any config files, not without having a login directly on the server itself and not without being apart of the sudoers group to use sudo access to get to things.

Regards,

Jon
 
Jon (LabKey DevOps) responded:  2016-12-21 13:38
root@myserver:/labkey/apps/tomcat# ls -l
total 144
drwxr-xr-x 2 tomcat tomcat  4096 Mar 10  2016 bin
drwxr-xr-x 3 tomcat tomcat  4096 May  3  2016 conf
drwxr-xr-x 2 tomcat tomcat  4096 Mar 10  2016 lib
-rw-r--r-- 1 tomcat tomcat 57011 Oct  7  2015 LICENSE
drwxr-xr-x 2 tomcat tomcat 28672 Dec 21 00:00 logs
-rw-r--r-- 1 tomcat tomcat  1444 Oct  7  2015 NOTICE
-rw-r--r-- 1 tomcat tomcat  6741 Oct  7  2015 RELEASE-NOTES
-rw-r--r-- 1 tomcat tomcat 16204 Oct  7  2015 RUNNING.txt
drwx------ 2 tomcat tomcat  4096 Mar 10  2016 SSL
drwxr-xr-x 2 tomcat tomcat  4096 Mar 10  2016 temp
drwxr-xr-x 4 tomcat tomcat  4096 Mar 10  2016 webapps
drwxr-xr-x 3 tomcat tomcat  4096 Mar 10  2016 work


root@myserver:/labkey/apps/tomcat/conf# ls -l
total 112
drwxr-xr-x 4 root   root    4096 May  3  2016 Catalina
-rw------- 1 tomcat tomcat 12374 Oct  7  2015 catalina.policy
-rw------- 1 tomcat tomcat  7106 Oct  7  2015 catalina.properties
-rw------- 1 tomcat tomcat  1577 Oct  7  2015 context.xml
-rw------- 1 tomcat tomcat  3387 Oct  7  2015 logging.properties
-rw-r----- 1 tomcat root    8448 May  3  2016 server.xml
-rw------- 1 tomcat tomcat   160 Mar 10  2016 tomcat-users.xml
-rw------- 1 tomcat tomcat  1846 Oct  7  2015 tomcat-users.xsd
-rw------- 1 tomcat tomcat 46831 Mar 10  2016 web.xml

root@myserver:/labkey/apps/tomcat/conf/Catalina# ls -l
total 8
drwx------ 2 tomcat tomcat 4096 May 16  2016 localhost

root@myserver:/labkey/apps/tomcat/conf/Catalina/localhost# ls -l
total 8
-rwxr-xr-x 1 tomcat tomcat 2623 Mar 10  2016 ROOT.xml
 
jmikk responded:  2017-01-04 07:14
Thanks exactly what I was looking for, John. Thanks, working as expected now with updated permissions.