UNIX for Advanced & Expert Users

Hi

This being my first post I have to say that you guys seem to have a nice community going.

My question is regarding securing Tomcat 5.0 on a Linuxbased system (Red Hat 9) and particularly concerning file access for Tomcat. The problem is that it is possible to gain access to any file on a system using badly coded JSP-pages, if these JSP-pages dump file contents to be viewed by the visitors. I have a particular page in our system in mind which accepts a request for a file, locates it and prints the contents onto the webpage. The issue that arises is of course that the page could be used to gain access to sensitive files such as password files, config files, etc. Although giving a JSP-page direct access to a file (without checking permissions and so on) being bad practise as such coding around the problem would take a bit of time (defining what files/paths are allowed for viewing, who can view the files, etc). The purpose of that page is to legitimately access cached reports already generated by the system and saved as files.

Just making sure the Tomcat user account can't be used to access any file outside the Tomcat directories would be just a bit too easy, the complication being that we DO need to access a few files reciding outside Tomcat. This is due to one of the encryption keys in symmetric encryption is stored in 2 different files in 2 different directories (with key 2 being in a database).

The solution I'm thinking about is to chroot Tomcat and mount (with -bind opion) the needed filesystems. But googling this gives posts indicating that chrooting Tomcat might require moving JVM files etc into the chrooted sandbox since Tomcat (or the JVM) might otherwise not be able to function properly.

I'd be very grateful for anyone pointing out an alternative solution to chroot for protecting files from "malicous" dumping by directory traversing using Tomcat or anyone pointing out how to make a chrooted Tomcat work as painlessly as possible.

Cheers