Solved

Need EXPERT help on setting UNIX permissions for managed server....

Posted on 2004-08-06
5
319 Views
Last Modified: 2013-12-10
Hello,

PLEASE do not post an answer for the below question unless you are an expert with weblogic!

QUESTION:
----------------
If you install weblogic so that $WL_HOME, and all domain Administrative and Managed servers are owned by UNIX user 'weblogic', -THEN if an application is running within a managed server, the application can read/write to any file owned by UNIX user 'weblogic'.... This is a BIG security risk.....
 
On a UNIX machine, how can you have the managed server run as another UNIX user other than 'weblogic', such that the web application in the managed server does not have access to the UNIX user's weblogic files?
 

So far the best solution I could come up with (which still doesn't solve the problem) is below:
----------------------------------------------------------------------------------------------------------------------
1) If ALL files/directories in $WL_HOME are owned by UNIX user 'weblogic', and have UNIX group 'weblogic' (read-execute ONLY for the group):
750  weblogic weblogic     /usr/local/weblogic/weblogic81

2) Within the specific domain directory you have the managed server startup as UNIX user 'myUser', and it BELONGS to the UNIX group 'weblogic'.....

3) The above would restrict any application running in the managed server from writing to any file owned by weblogic (or creating a file in $WL_HOME). The application could only write files in directories owned by 'myUser'.... however it could read any file owned by weblogic -EVEN in another domain (Security RISK)....

4) There has got to be a way to set the UNIX permission such that an application running in a managed server cannot view files in  another domain (on the same machine)....
     

Thanks for any and all help!
Keith Kwiatek
0
Comment
Question by:keithedward
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
joefm1218 earned 125 total points
Comment Utility
For security reasons (as well as managability of my domain), I seperate the Administrative server from all managed servers. The admin server is responsible for deployment to any managed server in the domain.

Since the Admin server is on a seperate box, I require NodeManager to negotiate server startup/shutdown/resource management/app deployment management. NodeManager communicates via 2-way SSL with the Admin server. This ensures that Privacy/Authenication/Authorization is trusted among the Admin server and all managed servers.

By using this scenario, I control the file permissions on the Admin server seperately from the file permissions on the managed servers. It's the Admin servers responsibility to push deployments to all managed servers via NodeManager.

Hope this helps.
0
 
LVL 5

Assisted Solution

by:Becky
Becky earned 125 total points
Comment Utility
You could configure your weblogic domain machines as "UNIX Machines" - http://e-docs.bea.com/wls/docs81/ConsoleHelp/machines.html

"If the computer runs a UNIX operating system, you can create a UNIX machine configuration, which enables you to assign the process under which a WebLogic Server instance runs to a user ID (UID) or group ID (GID). The WebLogic Server process is assigned (bound) to the UID or GID after the computer has carried out all privileged startup actions."

"If you are creating a UNIX machine and you want to bind the processes under which WebLogic Server instances run to a user ID or group ID, do any of the following:
- To bind the server processes to a user ID, select Enable Post-Bind UID and enter the user ID in the Post-Bind UID box.
- To bind the server processes to a group ID, select Enable Post-Bind GID and enter the group ID in the Post-Bind GID box."

So you can start weblogic as the "weblogic" user, so all necessary privlidges are used upon startup, but then afterwards it runs as the user ID you specify for the machine in console.
0
 
LVL 3

Expert Comment

by:joefm1218
Comment Utility
greensunie raises a good point about machine binding for UNIX machines. Be careful, however, this binding does not work on a Linux platform in version 7.0.

You didn't mention the platform and WLS version. I haven't tried it with version 8.1.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
jersey import error 8 100
Fisheye tool 2 101
method reurn 7 83
Universal fonts 2 138
Configure Web Service (server application) I. Configure security for Web Services methods First, we need to protect Session bean which implements the service: 1. Open EJB deployment descriptor (ejb-jar.xml) in the EJB project that contains you…
There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task. You need three things…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now