5 Replies Latest reply: May 8, 2014 9:05 AM by Paendrag RSS

    Middleware Home File and Subdirectory Permissions

    Paendrag

      Hello,

       

      I have a security requirement to ensure that the permissions of the files and subdirectories contained in the Middleware Home directory are set to 700 for subdirectories and executable files and

      600 for non-executable files.

       

      I have verified that the Middleware Home directory does comply with this.  However, after creating a Managed Server and deploying an application, the Managed Server's directory, subdirectories, and some files are actually 740 or 750.

       

      Is there a way to control this during Managed Server creation or application deployment?

       

      Example:  TEST_Server should also 700 but is actually 750

       

      ls -l /opt/app/oracle/MiddleWare/user_projects/domains/DomainMA/servers

      total 9

      drwx------   3 oracle   oinstall       3 Nov 18 21:42 AdminServer

      drwx------   3 oracle   oinstall       3 May  5 18:52 domain_bak

      drwxr-x---   9 oracle   oinstall       9 May  7 13:16 TEST_Server

       

      Thank you,

      Daniel M.

        • 1. Re: Middleware Home File and Subdirectory Permissions
          Paendrag

          Just for information purposes, I am currently handling this by running the find command with the perm and execute parameters.  I am just curious if weblogic can set thethose files to the correct privileges since weblogic is the one creating those directories.

           

          Example of what I am currently doing:

           

          Set file permissions to read/write/execute for "owner" (e.g. 700) if the file contains the "execute" permission in any position.

            find /opt/app/oracle/MiddleWare/user_projects/domains/DomainMA/servers/TEST_Server -type f \( -perm -100 -o -perm -010 -o -perm -001 \) \! -perm 700 -exec chmod u+rwx,o-rwx,g-rwx '{}' +

           

          Set file permissions to read/write for "owner" (e.g. 600) and will  remove all permissions from "group" and "other" if the file is not executable.

            find /opt/app/oracle/MiddleWare/user_projects/domains/DomainMA/servers/TEST_Server -type f \! -perm -100 \! -perm 600 -exec chmod o-rwx,g-rwx '{}' +

           


          Edited the find statements above for clarity.

          • 2. Re: Middleware Home File and Subdirectory Permissions
            Ratnesh Kumar Roy

            Hi,

             

            You should have permission of read write on middleware_home and wls_home because sometimes while applying jar file or applying patch, you will get permission error.

             

            Regards

            • 3. Re: Middleware Home File and Subdirectory Permissions
              Sharmela-Oracle

              Hi ,

               

              I understand that for security reasons you want to change the permissions on the files, but it is not recommended and it may lead to issues in future.

              However if you still want to go ahead with it, it is up to you.

               

              While creating a managed server, the permission of the files are set by default and if you want to customize you have to do it later.

              During the time of installation and configuration the file permissions are set by default.

               

              Thanks,

              Sharmela

              • 4. Re: Middleware Home File and Subdirectory Permissions
                Ratnesh Kumar Roy

                Hi

                 

                Can you let us the scenarios in which you want to change the permissions in details ?

                 

                Regards

                • 5. Re: Middleware Home File and Subdirectory Permissions
                  Paendrag

                  Basically, we have to show we are compliant with, and have mitigated all findings in, Common Configuration Enumeration (CCE) at the National Vulnerability Database (NVD) <http://nvd.nist.gov/cce/index.cfm>.

                   

                  This is a vulnerability finding for WebLogic 11g.

                   

                  CCE-18046-3, CCE-17425-0, and CCE-18185-9 to be exact.