Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 334
  • Last Modified:

Need EXPERT help on setting UNIX permissions for managed server....

Hello,

PLEASE do not post an answer for the below question unless you are an expert with weblogic!

QUESTION:
----------------
If you install weblogic so that $WL_HOME, and all domain Administrative and Managed servers are owned by UNIX user 'weblogic', -THEN if an application is running within a managed server, the application can read/write to any file owned by UNIX user 'weblogic'.... This is a BIG security risk.....
 
On a UNIX machine, how can you have the managed server run as another UNIX user other than 'weblogic', such that the web application in the managed server does not have access to the UNIX user's weblogic files?
 

So far the best solution I could come up with (which still doesn't solve the problem) is below:
----------------------------------------------------------------------------------------------------------------------
1) If ALL files/directories in $WL_HOME are owned by UNIX user 'weblogic', and have UNIX group 'weblogic' (read-execute ONLY for the group):
750  weblogic weblogic     /usr/local/weblogic/weblogic81

2) Within the specific domain directory you have the managed server startup as UNIX user 'myUser', and it BELONGS to the UNIX group 'weblogic'.....

3) The above would restrict any application running in the managed server from writing to any file owned by weblogic (or creating a file in $WL_HOME). The application could only write files in directories owned by 'myUser'.... however it could read any file owned by weblogic -EVEN in another domain (Security RISK)....

4) There has got to be a way to set the UNIX permission such that an application running in a managed server cannot view files in  another domain (on the same machine)....
     

Thanks for any and all help!
Keith Kwiatek
0
keithedward
Asked:
keithedward
  • 2
2 Solutions
 
joefm1218Commented:
For security reasons (as well as managability of my domain), I seperate the Administrative server from all managed servers. The admin server is responsible for deployment to any managed server in the domain.

Since the Admin server is on a seperate box, I require NodeManager to negotiate server startup/shutdown/resource management/app deployment management. NodeManager communicates via 2-way SSL with the Admin server. This ensures that Privacy/Authenication/Authorization is trusted among the Admin server and all managed servers.

By using this scenario, I control the file permissions on the Admin server seperately from the file permissions on the managed servers. It's the Admin servers responsibility to push deployments to all managed servers via NodeManager.

Hope this helps.
0
 
BeckyCommented:
You could configure your weblogic domain machines as "UNIX Machines" - http://e-docs.bea.com/wls/docs81/ConsoleHelp/machines.html

"If the computer runs a UNIX operating system, you can create a UNIX machine configuration, which enables you to assign the process under which a WebLogic Server instance runs to a user ID (UID) or group ID (GID). The WebLogic Server process is assigned (bound) to the UID or GID after the computer has carried out all privileged startup actions."

"If you are creating a UNIX machine and you want to bind the processes under which WebLogic Server instances run to a user ID or group ID, do any of the following:
- To bind the server processes to a user ID, select Enable Post-Bind UID and enter the user ID in the Post-Bind UID box.
- To bind the server processes to a group ID, select Enable Post-Bind GID and enter the group ID in the Post-Bind GID box."

So you can start weblogic as the "weblogic" user, so all necessary privlidges are used upon startup, but then afterwards it runs as the user ID you specify for the machine in console.
0
 
joefm1218Commented:
greensunie raises a good point about machine binding for UNIX machines. Be careful, however, this binding does not work on a Linux platform in version 7.0.

You didn't mention the platform and WLS version. I haven't tried it with version 8.1.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now