Lucee, Tomcat9 and /manager/

Markus_Wollny · June 3, 2022, 6:50am

Hi,

I am on Debian 11.3 using Tomcat 9.0.43-2~deb11u3 and Lucee 5.3.9.141. I have removed /etc/tomcat9/Catalina/localhost/host-manager.xml as recommended by OWASP Tomcat lockdown guide, but I still need the manager application for monitoring. /manager/ is locked down to the localhost as recommended (/etc/tomcat9/Catalina/localhost/manager.xml):

<Context path="/manager"
        docBase="/usr/share/tomcat9-admin/manager"
        antiResourceLocking="false" privileged="true">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1" />
</Context>

And I have configured the credentials for Nagios (/etc/tomcat9/tomcat-users.xml)

<role rolename="manager-gui"/>
<user username="nagios" password="nagiospass" roles="manager-gui"/>

I have confirmed that is working fine:

curl -i -s --compressed -u nagios:nagiospass "http://127.0.0.1:8080/manager/status?XML=true"

gets me what I need.

The only thing that bothers me right now is that there is an unsuccessful attempt for the Lucee servlet to be deployed in that context (I guess?), as this here is logged in /var/log/lucee/server/err.log:

2022-06-02 14:02:39.712 lucee.runtime.config.ConfigWebUtil Read-only file system
java.io.IOException: Read-only file system
        at java.base/java.io.UnixFileSystem.createFileExclusively(Native Method)
        at java.base/java.io.File.createNewFile(File.java:1035)
        at lucee.commons.io.res.type.file.FileResource.getOutputStream(FileResource.java:261)
        at lucee.commons.io.res.type.file.FileResource.copyTo(FileResource.java:116)
        at lucee.runtime.config.ConfigWebUtil._deploy(ConfigWebUtil.java:170)
        at lucee.runtime.config.ConfigWebUtil.deployWeb(ConfigWebUtil.java:126)
...

According to /var/log/lucee/server/out.log, this happens for the manager webroot:

WEB CONTEXT (7f73e995afa4cdef00c9f7f360b6e41b)
-------------------------------------------------------------------
- config:/var/lucee/config/web/7f73e995afa4cdef00c9f7f360b6e41b (custom setting)
- webroot:/usr/share/tomcat9-admin/manager
- hash:7f73e995afa4cdef00c9f7f360b6e41b
- label:7f73e995afa4cdef00c9f7f360b6e41b
===================================================================

Now /usr/share/tomcat9-admin/manager is obviously nor configured under ReadWritePaths in the tomcat9.service unit file. I did try to add it there though, just to get rid of the error message, but then Lucee’s err.log gives me another permission error, probably because I changed the user tomcat is running under for security considerations. Then again, I don’t actually wish to have Lucee anywhere near /manager/, but I guess the tomcat configuration is a little too arcane for me.

Is there any way to exclude the Lucee servlet from the deployment attempt to the /manager/ application? Or is this just a non-issue and I should simply ignore the output to Lucees server/err.log?

Any tomcat experts insights would be very much appreciated.

Kind regards

Markus