keithedward
asked on
Need EXPERT help on setting UNIX permissions for managed server....
Hello,
PLEASE do not post an answer for the below question unless you are an expert with weblogic!
QUESTION:
----------------
If you install weblogic so that $WL_HOME, and all domain Administrative and Managed servers are owned by UNIX user 'weblogic', -THEN if an application is running within a managed server, the application can read/write to any file owned by UNIX user 'weblogic'.... This is a BIG security risk.....
On a UNIX machine, how can you have the managed server run as another UNIX user other than 'weblogic', such that the web application in the managed server does not have access to the UNIX user's weblogic files?
So far the best solution I could come up with (which still doesn't solve the problem) is below:
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
1) If ALL files/directories in $WL_HOME are owned by UNIX user 'weblogic', and have UNIX group 'weblogic' (read-execute ONLY for the group):
750 weblogic weblogic /usr/local/weblogic/weblog ic81
2) Within the specific domain directory you have the managed server startup as UNIX user 'myUser', and it BELONGS to the UNIX group 'weblogic'.....
3) The above would restrict any application running in the managed server from writing to any file owned by weblogic (or creating a file in $WL_HOME). The application could only write files in directories owned by 'myUser'.... however it could read any file owned by weblogic -EVEN in another domain (Security RISK)....
4) There has got to be a way to set the UNIX permission such that an application running in a managed server cannot view files in another domain (on the same machine)....
Thanks for any and all help!
Keith Kwiatek
PLEASE do not post an answer for the below question unless you are an expert with weblogic!
QUESTION:
----------------
If you install weblogic so that $WL_HOME, and all domain Administrative and Managed servers are owned by UNIX user 'weblogic', -THEN if an application is running within a managed server, the application can read/write to any file owned by UNIX user 'weblogic'.... This is a BIG security risk.....
On a UNIX machine, how can you have the managed server run as another UNIX user other than 'weblogic', such that the web application in the managed server does not have access to the UNIX user's weblogic files?
So far the best solution I could come up with (which still doesn't solve the problem) is below:
--------------------------
1) If ALL files/directories in $WL_HOME are owned by UNIX user 'weblogic', and have UNIX group 'weblogic' (read-execute ONLY for the group):
750 weblogic weblogic /usr/local/weblogic/weblog
2) Within the specific domain directory you have the managed server startup as UNIX user 'myUser', and it BELONGS to the UNIX group 'weblogic'.....
3) The above would restrict any application running in the managed server from writing to any file owned by weblogic (or creating a file in $WL_HOME). The application could only write files in directories owned by 'myUser'.... however it could read any file owned by weblogic -EVEN in another domain (Security RISK)....
4) There has got to be a way to set the UNIX permission such that an application running in a managed server cannot view files in another domain (on the same machine)....
Thanks for any and all help!
Keith Kwiatek
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You didn't mention the platform and WLS version. I haven't tried it with version 8.1.