Bug 44225 - SSL connector tries to load the private keystore file after privileges have already been dropped by JSVC
Summary: SSL connector tries to load the private keystore file after privileges have a...
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 6.0.14
Hardware: Other other
: P2 enhancement (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2008-01-14 04:53 UTC by Ivan Todoroski
Modified: 2017-05-11 17:03 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Todoroski 2008-01-14 04:53:06 UTC
The keystore file containing the private server key should be kept in a secure 
location readable only by root. But if you run Tomcat under a less privileged 
user, this prevents you from using this key for the Tomcat SSL Connector.

You are left with two choices: either make the keystore readable to the Tomcat 
user, or run Tomcat permanently as root, neither of which is appealing from 
security point of view.

Now, Tomcat supports Commons Daemon (JSVC), which allows it to be started on 
privileged ports (such as 80 or 443) while not having to run as root all the 
time. It does it by splitting initialization into "load" and "start" phases, 
where the "load" phase runs as root in order to acquire the privileged 
resources, while the "start" phase runs after dropping privileges.

Unfortunately, the privileged "load" phase currently only binds the privileged 
ports. I propose to also move the loading of keystore files to this privileged 
"load" phase, so that private keystore files can be kept in a secure location, 
while Tomcat runs as non-privileged user.
Comment 1 Mark Thomas 2008-01-14 12:51:13 UTC
This sounds like an enhancement some users would want. Of course, it only works
if the key is read once and kept in memory - which I assume it is but haven't

As always, patches are welcome. I don't know this part of the code well enough
to know how big the patch is likely to be.
Comment 2 Mark Thomas 2017-05-11 10:20:16 UTC
It doesn't appear as if anyone is interested in writing a patch for this.

Also, limiting the key file to root doesn't offer any additional security. The Tomcat process will have the key in memory and hence the OS user tomcat is running as will always be able to access it.

Therefore, closing this as WONTFIX.
Comment 3 Christopher Schultz 2017-05-11 17:03:18 UTC
(In reply to Mark Thomas from comment #2)
> Therefore, closing this as WONTFIX.


It also prevents the keystore file from being re-read if the <Connector> is re-initialized or if the keystore is intentionally changed for some reason (e.g. new certificate issued).