XWiki (with Tomcat/MySQL) security

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

XWiki (with Tomcat/MySQL) security

Trevor Russ
Hello,

1. I am wondering if any users running XWiki on Tomcat 5.5 have set up a SecurityManager policy.  The documentation isn't really clear on this, other than "it's an issue" that may not be resolved.  The one "comment" on XWiki.org that has a security policy is close but not quite clear.  I couldn't figure out the part about Log4J.

- is a policy necessary?
- without one, are there any inherent security risks using XWiki/Tomcat "out of the box"?
- what about Tomcat's default "users" and "roles"?

2. Are there any security risks using the default "xwiki" installation location in webapps?  ie. if it's there and someone realizes you're running XWiki, couldn't they then direct their attacks specifically at MySQL / Tomcat / XWiki, looking for holes?  I tried installing the WAR to a different location, and failed miserably.  Does it matter?

3. Is anyone using XWiki over SSL?  Anything special we need to do for that, other than getting a certificate?

As you can tell, I'm not familiar with Tomcat and not a security guru.  I'm just the one who has to make sure our setup "out of the box" is secure against exploits.

We're running on Ubuntu, with MySQL.  Yes, the server will be behind a firewall, and the MySQL passwords have been changed.
I think what would help in the online documentation is a "security checklist" that rounds up all the various bits that I found on various pages.

Thanks,
Trevor
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

rrodrigueznt
Hi,

Trevor wrote:

> Hello,
>
> 1. I am wondering if any users running XWiki on Tomcat 5.5 have set up a SecurityManager policy.  The documentation isn't really clear on this, other than "it's an issue" that may not be resolved.  The one "comment" on XWiki.org that has a security policy is close but not quite clear.  I couldn't figure out the part about Log4J.
>
> - is a policy necessary?
> - without one, are there any inherent security risks using XWiki/Tomcat "out of the box"?
> - what about Tomcat's default "users" and "roles"?
>
> 2. Are there any security risks using the default "xwiki" installation location in webapps?  ie. if it's there and someone realizes you're running XWiki, couldn't they then direct their attacks specifically at MySQL / Tomcat / XWiki, looking for holes?  I tried installing the WAR to a different location, and failed miserably.  Does it matter?
>
> 3. Is anyone using XWiki over SSL?  Anything special we need to do for that, other than getting a certificate?

Concerning this, please, Vincent, is this entry still valid?

http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoIAddASecureSignonPage

Cheers,

Ricardo

--
Ricardo Rodríguez
Your EPEC Network ICT Team

_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

martijn.ras
In reply to this post by Trevor Russ
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heya Trevor,

1 Have not yet looked into SecurityManager.
  As i'm running XWiki on a dedicated server, i'm not really concerned about tomcat accessing files on the local file system.
  Any connecting to a host other than the one the applet was loaded from should be blocked by the firewall.
2 Knowing the software in use is of help to an attacker, not having 'xwiki' in the URL doesn't help since the login page will most likely tell what software is used anyway.
3 Simple get a certificate and follow the SSL Configuration HOW-TO (for 5.5: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html)

I don't want anybody to be able to sniff passwords or content (from any of the services i make available on the internet), so i always use SSL.
Actually, as i've secured my systems to the best of my knowledge, i'm more concerned about the inside thread.

Mazzel,

Martijn.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEVAwUBSoZn0ft+Km8vKaO1AQKq7wf+InMjq3gr+rU+dMTuHJ5TB04GOTwkQ0pX
jAWI5UiiOtlVRL1y74m7+TsKEbfHphIQOEmm4XvohYfftYOViF0Bq7Muis5AIdZK
Pf6H8sUrmXfWJ4goIqTcJDPTR/YutFW1z80PtlOc7GBJByu5UQvCI0WqE9yUduC0
2XjyriasPydQVfaDXITyxGnrCNhIeJ77oLkyTbDY/MnYR+y2aU0Og38XS3aZrlQi
ukFMM2aEV9sl23KTP2PL3t0Kwr7mTLZqng0mAIcva9K8aQunC9itgTm+Jok20z2P
mUChCuPF6aJpT4zMrO1hQDJR2O45DN+ObCKecK1vH1ukmiQPB09FQg==
=qNCK
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

vmassol
Administrator
In reply to this post by Trevor Russ
Hi Trevor,

On Aug 15, 2009, at 2:34 AM, Trevor wrote:

> Hello,
>
> 1. I am wondering if any users running XWiki on Tomcat 5.5 have set  
> up a SecurityManager policy.  The documentation isn't really clear  
> on this, other than "it's an issue" that may not be resolved.  The  
> one "comment" on XWiki.org that has a security policy is close but  
> not quite clear.  I couldn't figure out the part about Log4J.
>
> - is a policy necessary?
> - without one, are there any inherent security risks using XWiki/
> Tomcat "out of the box"?
> - what about Tomcat's default "users" and "roles"?

It really depends on your IT security rules. XWiki needs a few things  
to work:
- ability to create threads
- ability to access files from the filesystem (for caches and to write  
the xwiki log file)

So in general we don't run XWiki with any security manager.

 From a user POV only groovy scripting can access files on the  
filtesystem and do dangerous things. This is why we have a special  
right called programming right that is required for groovy scripting  
and that you should only give to trustworthy people (admins in general).

> 2. Are there any security risks using the default "xwiki"  
> installation location in webapps?  ie. if it's there and someone  
> realizes you're running XWiki, couldn't they then direct their  
> attacks specifically at MySQL / Tomcat / XWiki, looking for holes?

There are some known security issues at various level that we usually  
fix (like injection issues). Some not so serious issues exist but we  
haven't published them till they are solved.

>  I tried installing the WAR to a different location, and failed  
> miserably.  Does it matter?

No idea what you call location. Location doesn't matter in general and  
you don't even need to be root to install xwiki.

>
> 3. Is anyone using XWiki over SSL?  Anything special we need to do  
> for that, other than getting a certificate?
>
> As you can tell, I'm not familiar with Tomcat and not a security  
> guru.  I'm just the one who has to make sure our setup "out of the  
> box" is secure against exploits.
>
> We're running on Ubuntu, with MySQL.  Yes, the server will be behind  
> a firewall, and the MySQL passwords have been changed.
> I think what would help in the online documentation is a "security  
> checklist" that rounds up all the various bits that I found on  
> various pages.

I'm not a security expert either. You could consider hiring a xwiki  
security expert to review your setup if it's important to you. You  
could try contacting http://xwiki.com if you don't get enough answer  
here or if you want some validation.

Thanks
-Vincent

_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

vmassol
Administrator
In reply to this post by rrodrigueznt

On Aug 15, 2009, at 8:48 AM, [Ricardo Rodriguez] Your EPEC Network ICT  
Team wrote:

> Hi,
>
> Trevor wrote:
>> Hello,
>>
>> 1. I am wondering if any users running XWiki on Tomcat 5.5 have set  
>> up a SecurityManager policy.  The documentation isn't really clear  
>> on this, other than "it's an issue" that may not be resolved.  The  
>> one "comment" on XWiki.org that has a security policy is close but  
>> not quite clear.  I couldn't figure out the part about Log4J.
>>
>> - is a policy necessary?
>> - without one, are there any inherent security risks using XWiki/
>> Tomcat "out of the box"?
>> - what about Tomcat's default "users" and "roles"?
>>
>> 2. Are there any security risks using the default "xwiki"  
>> installation location in webapps?  ie. if it's there and someone  
>> realizes you're running XWiki, couldn't they then direct their  
>> attacks specifically at MySQL / Tomcat / XWiki, looking for holes?  
>> I tried installing the WAR to a different location, and failed  
>> miserably.  Does it matter?
>>
>> 3. Is anyone using XWiki over SSL?  Anything special we need to do  
>> for that, other than getting a certificate?
>
> Concerning this, please, Vincent, is this entry still valid?
>
> http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoIAddASecureSignonPage

I have no idea... :) This page was written by Ludovic a very long time  
ago (end 2006). However I think you can configure XWiki to run over  
SSL. At least I know that it's handled at some places in the code. But  
I don't know much about this.

Thanks
-Vincent


_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

Trevor Russ
In reply to this post by vmassol
Thanks, Vincent, for your replies.

On Sat, 15 Aug 2009 10:19:54 +0200 Vincent Massol <[hidden email]> wrote:

>  From a user POV only groovy scripting can access files on the  
> filtesystem and do dangerous things. This is why we have a special  
> right called programming right that is required for groovy scripting  
> and that you should only give to trustworthy people (admins in general).

Okay, so if we have XWiki running on a dedicated server, and we set user rights' appropriately, then the SecurityManager probably doesn't add much.
I'm good with that.

> No idea what you call location. Location doesn't matter in general and  

By "location" I was referring to what the directory is called that xwiki is installed into (eg. "xwiki" or "xwikifarm").

> you don't even need to be root to install xwiki.

How would this be done?  Don't you need root permission to install the WAR into $CATALINA_HOME/webapps ?
Ah ... I'm guessing you can "deploy" XWiki through Tomcat's management app?  Is this what you mean?

Trevor
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

Trevor Russ
In reply to this post by martijn.ras
Martin, thanks for your reply, and for the SSL how-to link, I appreciate it.

I have come across a document which is quite useful, specfically about Securing Tomcat:
http://www.owasp.org/index.php/Securing_tomcat

I found it here: https://help.ubuntu.com/community/ApacheTomcat5

Trevor
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

Sean Davis
In reply to this post by Trevor Russ
On Mon, Aug 17, 2009 at 9:40 AM, Trevor <[hidden email]> wrote:

>
> How would this be done?  Don't you need root permission to install the WAR
> into $CATALINA_HOME/webapps ?
> Ah ... I'm guessing you can "deploy" XWiki through Tomcat's management app?
>  Is this what you mean?
>

Not all tomcat installations are installed with the webapps being only
root-writable.

Sean
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

vmassol
Administrator
In reply to this post by Trevor Russ

On Aug 17, 2009, at 3:40 PM, Trevor wrote:

> Thanks, Vincent, for your replies.
>
> On Sat, 15 Aug 2009 10:19:54 +0200 Vincent Massol  
> <[hidden email]> wrote:
>
>> From a user POV only groovy scripting can access files on the
>> filtesystem and do dangerous things. This is why we have a special
>> right called programming right that is required for groovy scripting
>> and that you should only give to trustworthy people (admins in  
>> general).
>
> Okay, so if we have XWiki running on a dedicated server, and we set  
> user rights' appropriately, then the SecurityManager probably  
> doesn't add much.
> I'm good with that.
>
>> No idea what you call location. Location doesn't matter in general  
>> and
>
> By "location" I was referring to what the directory is called that  
> xwiki is installed into (eg. "xwiki" or "xwikifarm").
>
>> you don't even need to be root to install xwiki.
>
> How would this be done?  Don't you need root permission to install  
> the WAR into $CATALINA_HOME/webapps ?
> Ah ... I'm guessing you can "deploy" XWiki through Tomcat's  
> management app?  Is this what you mean?

You just need the permissions to drop the WAR somewhere and you need  
to ensure that the directory from where xwiki is started can be  
written to  by the process starting xwiki since it'll write some logs  
in it.
Alternatively a better solution is to configure xwiki's log file to be  
created where you want it to go.

See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging

Thanks
-Vincent

_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: XWiki (with Tomcat/MySQL) security

Sergiu Dumitriu-2
In reply to this post by Trevor Russ
Trevor wrote:
>> No idea what you call location. Location doesn't matter in general and  
>
> By "location" I was referring to what the directory is called that xwiki is installed into (eg. "xwiki" or "xwikifarm").

It should work out-of-the-box without any problems. I did deploy XWiki
   to other directories, and so far I didn't run into any problem. Can
you be more specific about the errors you encounter?

--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users