Need EXPERT help on setting UNIX permissions for managed server....

Hello,

PLEASE do not post an answer for the below question unless you are an expert with weblogic!

QUESTION:
----------------
If you install weblogic so that $WL_HOME, and all domain Administrative and Managed servers are owned by UNIX user 'weblogic', -THEN if an application is running within a managed server, the application can read/write to any file owned by UNIX user 'weblogic'.... This is a BIG security risk.....
 
On a UNIX machine, how can you have the managed server run as another UNIX user other than 'weblogic', such that the web application in the managed server does not have access to the UNIX user's weblogic files?
 

So far the best solution I could come up with (which still doesn't solve the problem) is below:
----------------------------------------------------------------------------------------------------------------------
1) If ALL files/directories in $WL_HOME are owned by UNIX user 'weblogic', and have UNIX group 'weblogic' (read-execute ONLY for the group):
750  weblogic weblogic     /usr/local/weblogic/weblogic81

2) Within the specific domain directory you have the managed server startup as UNIX user 'myUser', and it BELONGS to the UNIX group 'weblogic'.....

3) The above would restrict any application running in the managed server from writing to any file owned by weblogic (or creating a file in $WL_HOME). The application could only write files in directories owned by 'myUser'.... however it could read any file owned by weblogic -EVEN in another domain (Security RISK)....

4) There has got to be a way to set the UNIX permission such that an application running in a managed server cannot view files in  another domain (on the same machine)....
     

Thanks for any and all help!
Keith Kwiatek
keithedwardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

joefm1218Commented:
For security reasons (as well as managability of my domain), I seperate the Administrative server from all managed servers. The admin server is responsible for deployment to any managed server in the domain.

Since the Admin server is on a seperate box, I require NodeManager to negotiate server startup/shutdown/resource management/app deployment management. NodeManager communicates via 2-way SSL with the Admin server. This ensures that Privacy/Authenication/Authorization is trusted among the Admin server and all managed servers.

By using this scenario, I control the file permissions on the Admin server seperately from the file permissions on the managed servers. It's the Admin servers responsibility to push deployments to all managed servers via NodeManager.

Hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BeckyCommented:
You could configure your weblogic domain machines as "UNIX Machines" - http://e-docs.bea.com/wls/docs81/ConsoleHelp/machines.html

"If the computer runs a UNIX operating system, you can create a UNIX machine configuration, which enables you to assign the process under which a WebLogic Server instance runs to a user ID (UID) or group ID (GID). The WebLogic Server process is assigned (bound) to the UID or GID after the computer has carried out all privileged startup actions."

"If you are creating a UNIX machine and you want to bind the processes under which WebLogic Server instances run to a user ID or group ID, do any of the following:
- To bind the server processes to a user ID, select Enable Post-Bind UID and enter the user ID in the Post-Bind UID box.
- To bind the server processes to a group ID, select Enable Post-Bind GID and enter the group ID in the Post-Bind GID box."

So you can start weblogic as the "weblogic" user, so all necessary privlidges are used upon startup, but then afterwards it runs as the user ID you specify for the machine in console.
0
joefm1218Commented:
greensunie raises a good point about machine binding for UNIX machines. Be careful, however, this binding does not work on a Linux platform in version 7.0.

You didn't mention the platform and WLS version. I haven't tried it with version 8.1.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.