Link to home
Start Free TrialLog in
Avatar of keithedward
keithedward

asked on

Need EXPERT help on setting UNIX permissions for managed server....

Hello,

PLEASE do not post an answer for the below question unless you are an expert with weblogic!

QUESTION:
----------------
If you install weblogic so that $WL_HOME, and all domain Administrative and Managed servers are owned by UNIX user 'weblogic', -THEN if an application is running within a managed server, the application can read/write to any file owned by UNIX user 'weblogic'.... This is a BIG security risk.....
 
On a UNIX machine, how can you have the managed server run as another UNIX user other than 'weblogic', such that the web application in the managed server does not have access to the UNIX user's weblogic files?
 

So far the best solution I could come up with (which still doesn't solve the problem) is below:
----------------------------------------------------------------------------------------------------------------------
1) If ALL files/directories in $WL_HOME are owned by UNIX user 'weblogic', and have UNIX group 'weblogic' (read-execute ONLY for the group):
750  weblogic weblogic     /usr/local/weblogic/weblogic81

2) Within the specific domain directory you have the managed server startup as UNIX user 'myUser', and it BELONGS to the UNIX group 'weblogic'.....

3) The above would restrict any application running in the managed server from writing to any file owned by weblogic (or creating a file in $WL_HOME). The application could only write files in directories owned by 'myUser'.... however it could read any file owned by weblogic -EVEN in another domain (Security RISK)....

4) There has got to be a way to set the UNIX permission such that an application running in a managed server cannot view files in  another domain (on the same machine)....
     

Thanks for any and all help!
Keith Kwiatek
ASKER CERTIFIED SOLUTION
Avatar of joefm1218
joefm1218

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of joefm1218
joefm1218

greensunie raises a good point about machine binding for UNIX machines. Be careful, however, this binding does not work on a Linux platform in version 7.0.

You didn't mention the platform and WLS version. I haven't tried it with version 8.1.