メモ。
apacheや tomcatユーザを/sbin/nologin で正しく作成すれば、 RCE脆弱性のようなセキュリティ課題はは顕在化しないのでは、
環境
$ cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core)
apache の場合
$ sudo yum install httpd $ cat /etc/passwd | grep apache apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin $ sudo su - # systemctl enable httpd # systemctl start httpd # ps -ef | grep httpd root 1520 1 0 17:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 1521 1520 0 17:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 1522 1520 0 17:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 1523 1520 0 17:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 1524 1520 0 17:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 1525 1520 0 17:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND # find / -user apache -ls 18640 0 drwx------ 2 apache apache 40 Nov 17 2020 /run/httpd/htcacheclean 34070832 0 drwx------ 2 apache apache 6 Nov 17 2020 /var/lib/dav 101319719 0 drwx------ 3 apache apache 19 Oct 12 17:24 /var/cache/httpd 1036643 0 drwx------ 2 apache apache 6 Nov 17 2020 /var/cache/httpd/proxy # find / -group apache -ls 18639 0 drwx--x--- 3 root apache 100 Oct 12 17:26 /run/httpd 18640 0 drwx------ 2 apache apache 40 Nov 17 2020 /run/httpd/htcacheclean 34070832 0 drwx------ 2 apache apache 6 Nov 17 2020 /var/lib/dav 101319719 0 drwx------ 3 apache apache 19 Oct 12 17:24 /var/cache/httpd 1036643 0 drwx------ 2 apache apache 6 Nov 17 2020 /var/cache/httpd/proxy 1055826 16 -r-x--x--- 1 root apache 15368 Nov 17 2020 /usr/sbin/suexec
tomcat の場合
$ sudo yum install tomcat : ---> Package tomcat.noarch 0:7.0.76-16.el7_9 will be installed $ cat /etc/passwd | grep tomcat tomcat:x:53:53:Apache Tomcat:/usr/share/tomcat:/sbin/nologin $ sudo su - # systemctl enable tomcat # systemctl start tomcat # ps -ef | grep tomcat tomcat 3058 1 2 17:54 ? 00:00:01 /usr/lib/jvm/jre/bin/java ~ # find / -user tomcat -ls 101325120 0 drwxrwx--- 2 tomcat root 197 Oct 12 17:54 /var/log/tomcat 101325121 4 -rw-rw---- 1 tomcat tomcat 28 Nov 17 2020 /var/log/tomcat/catalina.out 101325247 4 -rw-r--r-- 1 tomcat tomcat 3694 Oct 12 17:54 /var/log/tomcat/catalina.2021-10-12.log 101319738 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/localhost.2021-10-12.log 101602624 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/manager.2021-10-12.log 101602625 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/host-manager.2021-10-12.log 101602626 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/localhost_access_log.2021-10-12.txt 1063007 0 drwxr-xr-x 2 tomcat tomcat 18 Oct 12 17:54 /tmp/hsperfdata_tomcat 1132192 32 -rw------- 1 tomcat tomcat 32768 Oct 12 17:56 /tmp/hsperfdata_tomcat/3058 # find / -group tomcat -ls 101317807 0 drwxr-xr-x 4 root tomcat 231 Oct 12 17:38 /etc/tomcat 1062855 0 drwxrwxr-x 3 root tomcat 23 Oct 12 17:38 /etc/tomcat/Catalina 34364408 0 drwxrwxr-x 2 root tomcat 6 Nov 17 2020 /etc/tomcat/Catalina/localhost 101317808 16 -rw-r--r-- 1 root tomcat 13443 Nov 17 2020 /etc/tomcat/catalina.policy 101317809 8 -rw-r--r-- 1 root tomcat 6696 Nov 17 2020 /etc/tomcat/catalina.properties 67246881 0 drwxr-xr-x 2 root tomcat 20 Oct 12 17:38 /etc/tomcat/conf.d 67246882 4 -rw-r--r-- 1 root tomcat 67 Nov 17 2020 /etc/tomcat/conf.d/README 101317810 4 -rw-r--r-- 1 root tomcat 1394 Nov 17 2020 /etc/tomcat/context.xml 101317811 4 -rw-r--r-- 1 root tomcat 547 Nov 17 2020 /etc/tomcat/log4j.properties 101317812 4 -rw-r--r-- 1 root tomcat 3288 Nov 17 2020 /etc/tomcat/logging.properties 101317813 8 -rw-r--r-- 1 root tomcat 6613 Nov 17 2020 /etc/tomcat/server.xml 101317814 4 -rw-r----- 1 root tomcat 2418 Nov 17 2020 /etc/tomcat/tomcat-users.xml 101317815 4 -rw-r--r-- 1 root tomcat 1828 Nov 17 2020 /etc/tomcat/tomcat.conf 101317816 164 -rw-r--r-- 1 root tomcat 167655 Nov 17 2020 /etc/tomcat/web.xml 1062867 0 drwxr-xr-x 3 root tomcat 21 Oct 12 17:38 /var/lib/tomcat 34364415 0 drwxrwxr-x 2 root tomcat 6 Nov 17 2020 /var/lib/tomcat/webapps 101325121 4 -rw-rw---- 1 tomcat tomcat 28 Nov 17 2020 /var/log/tomcat/catalina.out 101325247 4 -rw-r--r-- 1 tomcat tomcat 3694 Oct 12 17:54 /var/log/tomcat/catalina.2021-10-12.log 101319738 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/localhost.2021-10-12.log 101602624 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/manager.2021-10-12.log 101602625 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/host-manager.2021-10-12.log 101602626 0 -rw-r--r-- 1 tomcat tomcat 0 Oct 12 17:54 /var/log/tomcat/localhost_access_log.2021-10-12.txt 34364412 0 drwxrwx--- 4 root tomcat 30 Oct 12 17:38 /var/cache/tomcat 67246885 0 drwxrwx--- 2 root tomcat 6 Nov 17 2020 /var/cache/tomcat/temp 101317823 0 drwxrwx--- 2 root tomcat 6 Nov 17 2020 /var/cache/tomcat/work 1063007 0 drwxr-xr-x 2 tomcat tomcat 18 Oct 12 17:54 /tmp/hsperfdata_tomcat 1132192 32 -rw------- 1 tomcat tomcat 32768 Oct 12 17:59 /tmp/hsperfdata_tomcat/3058 1062857 0 drwxr-xr-x 2 root tomcat 56 Oct 12 17:38 /usr/share/doc/tomcat-7.0.76 1062858 56 -rw-rw-r-- 1 root tomcat 56846 Mar 9 2017 /usr/share/doc/tomcat-7.0.76/LICENSE 1062859 4 -rw-rw-r-- 1 root tomcat 1239 Mar 9 2017 /usr/share/doc/tomcat-7.0.76/NOTICE 1062860 12 -rw-rw-r-- 1 root tomcat 9030 Mar 9 2017 /usr/share/doc/tomcat-7.0.76/RELEASE-NOTES 1062843 0 drwxrwxr-x 3 root tomcat 91 Oct 12 17:38 /usr/share/tomcat 34364410 32 -rw-r--r-- 1 root tomcat 29299 Nov 17 2020 /usr/share/tomcat/bin/bootstrap.jar 34364411 4 -rw-r--r-- 1 root tomcat 1647 Nov 17 2020 /usr/share/tomcat/bin/catalina-tasks.xml 1062861 0 lrwxrwxrwx 1 root tomcat 11 Oct 12 17:38 /usr/share/tomcat/conf -> /etc/tomcat 1062862 0 lrwxrwxrwx 1 root tomcat 22 Oct 12 17:38 /usr/share/tomcat/lib -> /usr/share/java/tomcat 1062863 0 lrwxrwxrwx 1 root tomcat 15 Oct 12 17:38 /usr/share/tomcat/logs -> /var/log/tomcat 1062864 0 lrwxrwxrwx 1 root tomcat 22 Oct 12 17:38 /usr/share/tomcat/temp -> /var/cache/tomcat/temp 1062865 0 lrwxrwxrwx 1 root tomcat 23 Oct 12 17:38 /usr/share/tomcat/webapps -> /var/lib/tomcat/webapps 1062866 0 lrwxrwxrwx 1 root tomcat 22 Oct 12 17:38 /usr/share/tomcat/work -> /var/cache/tomcat/work