Ubuntu Server セットアップ備忘録 (15) - Tomcat のセキュリティポリシー修正 その3

Ubuntu Tomcat

ユーザさんからエラーレポートが届いたのでログを確認すると、以下のスタックトレースが出ていました。


SEVERE: circle-info: access denied (java.io.FilePermission /var/lib/tomcat5.5/temp/upload_1355c577_11f10f5e97d__7ffa_00000008.tmp write)
java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat5.5/temp/upload_1355c577_11f10f5e97d__7ffa_00000008.tmp write)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
    at java.security.AccessController.checkPermission(AccessController.java:546)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkWrite(SecurityManager.java:962)
    at java.io.FileOutputStream.(FileOutputStream.java:169)
    at java.io.FileOutputStream.(FileOutputStream.java:131)
    at org.apache.commons.io.output.DeferredFileOutputStream.thresholdReached(DeferredFileOutputStream.java:165)
    at org.apache.commons.io.output.ThresholdingOutputStream.checkThreshold(ThresholdingOutputStream.java:221)
    at org.apache.commons.io.output.ThresholdingOutputStream.write(ThresholdingOutputStream.java:127)
    at org.apache.commons.fileupload.util.Streams.copy(Streams.java:101)
    at org.apache.commons.fileupload.util.Streams.copy(Streams.java:64)
    at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:362)
    at org.apache.commons.fileupload.servlet.ServletFileUpload.parseRequest(ServletFileUpload.java:126)
    at com.rnkrz.servlet.CircleInfoServlet.doPost(CircleInfoServlet.java:69)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilterChain.java:192)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:171)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
    at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
    at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
    at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
    at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
    at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
    at java.lang.Thread.run(Thread.java:619)
うーん。apache.commons.fileupload のテンポラリファイルへのアクセスが弾かれています。またセキュリティポリシー(1)(2)か。(-_-;)
っていうか、ちょっと前まで問題なく動いてた筈なんだけどな。もしかして Ubuntu のアップデート適用でセキュリティ設定が厳しくなったのか?(検証できないけど。)

ともあれ、 /etc/tomcat5.5/policy.d/50user.policy を以下のように修正して解決しました。


grant codeBase "file:${catalina.base}/webapps/spochan/-" {
    permission java.net.SocketPermission "192.xxx.xx.11:3306", "connect";
    permission java.net.SocketPermission "192.xxx.xx.12:3306", "connect";
    permission java.net.SocketPermission "localhost:3306", "connect";
    permission java.util.PropertyPermission "java.io.tmpdir", "read";
    permission java.net.SocketPermission "smtp.gmail.com", "connect,resolve";
    permission java.io.FilePermission "${catalina.base}/temp/-", "read,write"; ←追記部分
};
grant codeBase "file:${catalina.base}/webapps/chanbara/-" {
    permission java.io.FilePermission "${catalina.base}/webapps/chanbara/-", "write";
};
// These permissions apply to JULI
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
    permission java.io.FilePermission "/usr/share/tomcat5.5-webapps/servlets-examples/WEB-INF/classes/logging.properties", "read";
    permission java.io.FilePermission "/usr/share/tomcat5.5-webapps/jsp-examples/WEB-INF/classes/logging.properties", "read";
    permission java.io.FilePermission "${catalina.base}/webapps/chanbara/WEB-INF/classes/logging.properties", "read";
    permission java.io.FilePermission "${catalina.base}/webapps/spochan/WEB-INF/classes/logging.properties", "read";
};