[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] Dangerous security violation in Cobalt Developer Kit for Java

Subject: [cobalt-developers] Dangerous security violation in Cobalt Developer Kit for Java
From: "Alexander Povargo" <apovargo@xxxxxxx>
Date: Mon Aug 13 21:25:02 2001
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

Hi,

it may be important to all who use Cobalt Developer Kit for Java.
tomcat.policy contains such permission for codeBase of virtual domains:
permission java.io.FilePermission "-", "read,write,delete";

Java runs as a root user, user.home property points to /
Given FilePermission allows to any servlet from any virtual host to have
full access to your file system with root privileges. All servlets can read,
write and delete any file on you system and possible crash you server.

Correct FilePermission must be given to codeBase of each domain:
permission java.io.FilePermission "/home/sites/{siteN}/-",
"read,write,delete"
where siteN - directory of your virtual site inside /home/sites: site1,
site2, etc.

Simple and quick solution: remove codes which generate tomcat.policy from
/usr/java/jakarta-tomcat/bin/cobalt_config.pl
Best solutions: rewrite cobalt_config.pl with more intelligent code.

Hope it may be helpful to all who use Cobalt's Tomcat.

Best regards,
Alex

Follow-Ups:
- Re: [cobalt-developers] Dangerous security violation in Cobalt Developer Kit for Java
  - From: Timothy Stonis

Prev by Date: [cobalt-developers] majordomo exited unexpectedly with error 65535
Next by Date: RE: [cobalt-developers] Hacking attempts???
Previous by thread: [cobalt-developers] majordomo exited unexpectedly with error 65535
Next by thread: Re: [cobalt-developers] Dangerous security violation in Cobalt Developer Kit for Java

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index