Ubuntu Server セットアップ備忘録 (15) - Tomcat のセキュリティポリシー修正 その3
ユーザさんからエラーレポートが届いたのでログを確認すると、以下のスタックトレースが出ていました。
うーん。apache.commons.fileupload のテンポラリファイルへのアクセスが弾かれています。またセキュリティポリシー(1)(2)か。(-_-;)
SEVERE: circle-info: access denied (java.io.FilePermission /var/lib/tomcat5.5/temp/upload_1355c577_11f10f5e97d__7ffa_00000008.tmp write)
java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat5.5/temp/upload_1355c577_11f10f5e97d__7ffa_00000008.tmp write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkWrite(SecurityManager.java:962)
at java.io.FileOutputStream.(FileOutputStream.java:169)
at java.io.FileOutputStream.(FileOutputStream.java:131)
at org.apache.commons.io.output.DeferredFileOutputStream.thresholdReached(DeferredFileOutputStream.java:165)
at org.apache.commons.io.output.ThresholdingOutputStream.checkThreshold(ThresholdingOutputStream.java:221)
at org.apache.commons.io.output.ThresholdingOutputStream.write(ThresholdingOutputStream.java:127)
at org.apache.commons.fileupload.util.Streams.copy(Streams.java:101)
at org.apache.commons.fileupload.util.Streams.copy(Streams.java:64)
at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:362)
at org.apache.commons.fileupload.servlet.ServletFileUpload.parseRequest(ServletFileUpload.java:126)
at com.rnkrz.servlet.CircleInfoServlet.doPost(CircleInfoServlet.java:69)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:262)
at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:171)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:619)
っていうか、ちょっと前まで問題なく動いてた筈なんだけどな。もしかして Ubuntu のアップデート適用でセキュリティ設定が厳しくなったのか?(検証できないけど。)
ともあれ、 /etc/tomcat5.5/policy.d/50user.policy を以下のように修正して解決しました。
grant codeBase "file:${catalina.base}/webapps/spochan/-" {
permission java.net.SocketPermission "192.xxx.xx.11:3306", "connect";
permission java.net.SocketPermission "192.xxx.xx.12:3306", "connect";
permission java.net.SocketPermission "localhost:3306", "connect";
permission java.util.PropertyPermission "java.io.tmpdir", "read";
permission java.net.SocketPermission "smtp.gmail.com", "connect,resolve";
permission java.io.FilePermission "${catalina.base}/temp/-", "read,write"; ←追記部分
};
grant codeBase "file:${catalina.base}/webapps/chanbara/-" {
permission java.io.FilePermission "${catalina.base}/webapps/chanbara/-", "write";
};
// These permissions apply to JULI
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.io.FilePermission "/usr/share/tomcat5.5-webapps/servlets-examples/WEB-INF/classes/logging.properties", "read";
permission java.io.FilePermission "/usr/share/tomcat5.5-webapps/jsp-examples/WEB-INF/classes/logging.properties", "read";
permission java.io.FilePermission "${catalina.base}/webapps/chanbara/WEB-INF/classes/logging.properties", "read";
permission java.io.FilePermission "${catalina.base}/webapps/spochan/WEB-INF/classes/logging.properties", "read";
};