15 Aug
2009
15 Aug
'09
2:34 a.m.
Hello,
1. I am wondering if any users running XWiki on Tomcat 5.5 have set up a SecurityManager
policy. The documentation isn't really clear on this, other than "it's an
issue" that may not be resolved. The one "comment" on XWiki.org that has a
security policy is close but not quite clear. I couldn't figure out the part about
Log4J.
- is a policy necessary?
- without one, are there any inherent security risks using XWiki/Tomcat "out of the
box"?
- what about Tomcat's default "users" and "roles"?
2. Are there any security risks using the default "xwiki" installation location
in webapps? ie. if it's there and someone realizes you're running XWiki,
couldn't they then direct their attacks specifically at MySQL / Tomcat / XWiki,
looking for holes? I tried installing the WAR to a different location, and failed
miserably. Does it matter?
3. Is anyone using XWiki over SSL? Anything special we need to do for that, other than
getting a certificate?
As you can tell, I'm not familiar with Tomcat and not a security guru. I'm just
the one who has to make sure our setup "out of the box" is secure against
exploits.
We're running on Ubuntu, with MySQL. Yes, the server will be behind a firewall, and
the MySQL passwords have been changed.
I think what would help in the online documentation is a "security checklist"
that rounds up all the various bits that I found on various pages.
Thanks,
Trevor
15 Aug
15 Aug
8:48 a.m.
Hi,
Trevor wrote:
Hello,
1. I am wondering if any users running XWiki on Tomcat 5.5 have set up a SecurityManager
policy. The documentation isn't really clear on this, other than "it's an
issue" that may not be resolved. The one "comment" on XWiki.org that has a
security policy is close but not quite clear. I couldn't figure out the part about
Log4J.
- is a policy necessary?
- without one, are there any inherent security risks using XWiki/Tomcat "out of the
box"?
- what about Tomcat's default "users" and "roles"?
2. Are there any security risks using the default "xwiki" installation location
in webapps? ie. if it's there and someone realizes you're running XWiki,
couldn't they then direct their attacks specifically at MySQL / Tomcat / XWiki,
looking for holes? I tried installing the WAR to a different location, and failed
miserably. Does it matter?
3. Is anyone using XWiki over SSL? Anything special we need to do for that, other than
getting a certificate?
Concerning this, please, Vincent, is this entry still valid?
http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoIAddASecureSignonPage
Cheers,
Ricardo
--
Ricardo RodrÃguez
Your EPEC Network ICT Team
10:19 a.m.
Hi Trevor,
On Aug 15, 2009, at 2:34 AM, Trevor wrote:
Hello,
1. I am wondering if any users running XWiki on Tomcat 5.5 have set
up a SecurityManager policy. The documentation isn't really clear
on this, other than "it's an issue" that may not be resolved. The
one "comment" on XWiki.org that has a security policy is close but
not quite clear. I couldn't figure out the part about Log4J.
- is a policy necessary?
- without one, are there any inherent security risks using XWiki/
Tomcat "out of the box"?
- what about Tomcat's default "users" and "roles"?
It really depends on your IT security rules. XWiki needs a few things
to work:
- ability to create threads
- ability to access files from the filesystem (for caches and to write
the xwiki log file)
So in general we don't run XWiki with any security manager.
From a user POV only groovy scripting can access files on the
filtesystem and do dangerous things. This is why we have a special
right called programming right that is required for groovy scripting
and that you should only give to trustworthy people (admins in general).
2. Are there any security risks using the default
"xwiki"
installation location in webapps? ie. if it's there and someone
realizes you're running XWiki, couldn't they then direct their
attacks specifically at MySQL / Tomcat / XWiki, looking for holes?
There are some known security issues at various level that we usually
fix (like injection issues). Some not so serious issues exist but we
haven't published them till they are solved.
I tried installing the WAR to a different location,
and failed
miserably. Does it matter?
No idea what you call location. Location doesn't matter in general and
you don't even need to be root to install xwiki.
3. Is anyone using XWiki over SSL? Anything special we need to do
for that, other than getting a certificate?
As you can tell, I'm not familiar with Tomcat and not a security
guru. I'm just the one who has to make sure our setup "out of the
box" is secure against exploits.
We're running on Ubuntu, with MySQL. Yes, the server will be behind
a firewall, and the MySQL passwords have been changed.
I think what would help in the online documentation is a "security
checklist" that rounds up all the various bits that I found on
various pages.
I'm not a security expert either. You could consider hiring a xwiki
security expert to review your setup if it's important to you. You
could try contacting http://xwiki.com if you don't get enough answer
here or if you want some validation.
Thanks
-Vincent
9:46 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Heya Trevor,
1 Have not yet looked into SecurityManager.
As i'm running XWiki on a dedicated server, i'm not really concerned about
tomcat accessing files on the local file system.
Any connecting to a host other than the one the applet was loaded from should be blocked
by the firewall.
2 Knowing the software in use is of help to an attacker, not having 'xwiki' in the
URL doesn't help since the login page will most likely tell what software is used
anyway.
3 Simple get a certificate and follow the SSL Configuration HOW-TO (for 5.5:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html)
I don't want anybody to be able to sniff passwords or content (from any of the
services i make available on the internet), so i always use SSL.
Actually, as i've secured my systems to the best of my knowledge, i'm more
concerned about the inside thread.
Mazzel,
Martijn.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEVAwUBSoZn0ft+Km8vKaO1AQKq7wf+InMjq3gr+rU+dMTuHJ5TB04GOTwkQ0pX
jAWI5UiiOtlVRL1y74m7+TsKEbfHphIQOEmm4XvohYfftYOViF0Bq7Muis5AIdZK
Pf6H8sUrmXfWJ4goIqTcJDPTR/YutFW1z80PtlOc7GBJByu5UQvCI0WqE9yUduC0
2XjyriasPydQVfaDXITyxGnrCNhIeJ77oLkyTbDY/MnYR+y2aU0Og38XS3aZrlQi
ukFMM2aEV9sl23KTP2PL3t0Kwr7mTLZqng0mAIcva9K8aQunC9itgTm+Jok20z2P
mUChCuPF6aJpT4zMrO1hQDJR2O45DN+ObCKecK1vH1ukmiQPB09FQg==
=qNCK
-----END PGP SIGNATURE-----
10:22 a.m.
On Aug 15, 2009, at 8:48 AM, [Ricardo Rodriguez] Your EPEC Network ICT
Team wrote:
Hi,
Trevor wrote:
I have no idea... :) This page was written by Ludovic a very long time
ago (end 2006). However I think you can configure XWiki to run over
SSL. At least I know that it's handled at some places in the code. But
I don't know much about this.
Thanks
-Vincent
Hello,
1. I am wondering if any users running XWiki on Tomcat 5.5 have set
up a SecurityManager policy. The documentation isn't really clear
on this, other than "it's an issue" that may not be resolved. The
one "comment" on XWiki.org that has a security policy is close but
not quite clear. I couldn't figure out the part about Log4J.
- is a policy necessary?
- without one, are there any inherent security risks using XWiki/
Tomcat "out of the box"?
- what about Tomcat's default "users" and "roles"?
2. Are there any security risks using the default "xwiki"
installation location in webapps? ie. if it's there and someone
realizes you're running XWiki, couldn't they then direct their
attacks specifically at MySQL / Tomcat / XWiki, looking for holes?
I tried installing the WAR to a different location, and failed
miserably. Does it matter?
3. Is anyone using XWiki over SSL? Anything special we need to do
for that, other than getting a certificate?
Concerning this, please, Vincent, is this entry still valid?
http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoIAddASecureSignonPage
17 Aug
17 Aug
3:40 p.m.
Thanks, Vincent, for your replies.
On Sat, 15 Aug 2009 10:19:54 +0200 Vincent Massol <vincent(a)massol.net> wrote:
From a user POV only groovy scripting can access
files on the
filtesystem and do dangerous things. This is why we have a special
right called programming right that is required for groovy scripting
and that you should only give to trustworthy people (admins in general).
Okay, so if we have XWiki running on a dedicated server, and we set user rights'
appropriately, then the SecurityManager probably doesn't add much.
I'm good with that.
No idea what you call location. Location doesn't
matter in general and
By "location" I was referring to what the directory is called that xwiki is
installed into (eg. "xwiki" or "xwikifarm").
you don't even need to be root to install xwiki.
How would this be done? Don't you need root permission to install the WAR into
$CATALINA_HOME/webapps ?
Ah ... I'm guessing you can "deploy" XWiki through Tomcat's management
app? Is this what you mean?
Trevor
3:45 p.m.
Martin, thanks for your reply, and for the SSL how-to link, I appreciate it.
I have come across a document which is quite useful, specfically about Securing Tomcat:
http://www.owasp.org/index.php/Securing_tomcat
I found it here: https://help.ubuntu.com/community/ApacheTomcat5
Trevor
3:48 p.m.
On Aug 17, 2009, at 3:40 PM, Trevor wrote:
Thanks, Vincent, for your replies.
On Sat, 15 Aug 2009 10:19:54 +0200 Vincent Massol
<vincent(a)massol.net> wrote:
You just need the permissions to drop the WAR somewhere and you need
to ensure that the directory from where xwiki is started can be
written to by the process starting xwiki since it'll write some logs
in it.
Alternatively a better solution is to configure xwiki's log file to be
created where you want it to go.
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Thanks
-Vincent
From a user POV only groovy scripting can access
files on the
filtesystem and do dangerous things. This is why we have a special
right called programming right that is required for groovy scripting
and that you should only give to trustworthy people (admins in
general).
Okay, so if we have XWiki running on a dedicated server, and we set
user rights' appropriately, then the SecurityManager probably
doesn't add much.
I'm good with that.
No idea what you call location. Location
doesn't matter in general
and
By "location" I was referring to what the directory is called that
xwiki is installed into (eg. "xwiki" or "xwikifarm").
you don't even need to be root to install
xwiki.
How would this be done? Don't you need root permission to install
the WAR into $CATALINA_HOME/webapps ?
Ah ... I'm guessing you can "deploy" XWiki through Tomcat's
management app? Is this what you mean? 
4:04 p.m.
Trevor wrote:
It should work out-of-the-box without any problems. I did deploy XWiki
to other directories, and so far I didn't run into any problem. Can
you be more specific about the errors you encounter?
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
No idea what
you call location. Location doesn't matter in general and
By "location" I was referring to what the directory is called that xwiki is
installed into (eg. "xwiki" or "xwikifarm"). 
3:47 p.m.
On Mon, Aug 17, 2009 at 9:40 AM, Trevor <tr.wiki(a)telus.net> wrote:
How would this be done? Don't you need root permission to install the WAR
into $CATALINA_HOME/webapps ?
Ah ... I'm guessing you can "deploy" XWiki through Tomcat's management
app?
Is this what you mean?
Not all tomcat installations are installed with the webapps being only
root-writable.
Sean
5512
days inactive
5514
days old
9 comments
6 participants
participants (6)
-
[Ricardo Rodriguez] Your EPEC Network ICT Team -
Martijn.Ras -
Sean Davis -
Sergiu Dumitriu -
Trevor -
Vincent Massol