[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] Dangerous security violation in Cobalt Developer Kit for Java
- Subject: Re: [cobalt-developers] Dangerous security violation in Cobalt Developer Kit for Java
- From: Timothy Stonis <timothy.stonis@xxxxxxx>
- Date: Sun Aug 26 00:09:51 2001
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
We'll be putting out a patch for this soon. Thank you, Alexander for
finding this. I thought the "-" was relative to the file in the grant
statement block.
_Tim
On 8/14/01 5:00 AM, "Alexander Povargo" <apovargo@xxxxxxx> wrote:
> Hi,
>
> it may be important to all who use Cobalt Developer Kit for Java.
> tomcat.policy contains such permission for codeBase of virtual domains:
> permission java.io.FilePermission "-", "read,write,delete";
>
> Java runs as a root user, user.home property points to /
> Given FilePermission allows to any servlet from any virtual host to have
> full access to your file system with root privileges. All servlets can read,
> write and delete any file on you system and possible crash you server.
>
> Correct FilePermission must be given to codeBase of each domain:
> permission java.io.FilePermission "/home/sites/{siteN}/-",
> "read,write,delete"
> where siteN - directory of your virtual site inside /home/sites: site1,
> site2, etc.
>
> Simple and quick solution: remove codes which generate tomcat.policy from
> /usr/java/jakarta-tomcat/bin/cobalt_config.pl
> Best solutions: rewrite cobalt_config.pl with more intelligent code.
>
> Hope it may be helpful to all who use Cobalt's Tomcat.
>
> Best regards,
> Alex
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>