Re: Jailrootting

2010-06-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca, On 6/23/2010 3:18 AM, Luca Gervasi wrote: > Hi guys, thanks for answering me. > > Tomcat uses a low privilege user and the system-wide permissions are > thus enforced by OS but...i can still read all the istance-wide files > (tomcat-users.xml,

Re: Jailrootting

2010-06-23 Thread Mikolaj Rydzewski
Luca Gervasi wrote: Tomcat uses a low privilege user and the system-wide permissions are thus enforced by OS but...i can still read all the istance-wide files (tomcat-users.xml, server.xml and any other 644 file). What is your scenario for running webapps? Are you going to run third-party unt

Re: Jailrootting

2010-06-23 Thread Mikolaj Rydzewski
Christopher Schultz wrote: I've never seen a system where /etc/passwd wasn't world-readable. Otherwise, 'ls' doesn't even work well ;) I saw a free shell server once. There was some kind of linux kernel hack implemented, that used to filter /etc/passwd to display only system accounts and you

Re: Jailrootting

2010-06-23 Thread Luca Gervasi
On Tue, 2010-06-22 at 16:25 -0400, Christopher Schultz wrote: > On 6/22/2010 12:07 PM, Gregor Schneider wrote: > > 2010/6/18 Mikolaj Rydzewski : > >> Luca Gervasi wrote: > >>> > >>> i can read my /etc/passwd from a malicious jsp. > >>> Where can i find infos on limiting filesystem access / visibili

Re: Jailrootting

2010-06-22 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gregor, On 6/22/2010 12:07 PM, Gregor Schneider wrote: > 2010/6/18 Mikolaj Rydzewski : >> Luca Gervasi wrote: >>> >>> i can read my /etc/passwd from a malicious jsp. >>> Where can i find infos on limiting filesystem access / visibility ? >>> >> > > 1

Re: Jailrootting

2010-06-22 Thread Gregor Schneider
2010/6/18 Mikolaj Rydzewski : > Luca Gervasi wrote: >> >> i can read my /etc/passwd from a malicious jsp. >> Where can i find infos on limiting filesystem access / visibility ? >> > 1st thing to do: run tomcat as user "tomcat" (or whatever username u like) with limited rights - that should at le

Re: Jailrootting

2010-06-18 Thread Mikolaj Rydzewski
Luca Gervasi wrote: i can read my /etc/passwd from a malicious jsp. Where can i find infos on limiting filesystem access / visibility ? Google for SecurityManager. Check conf/catalina.policy file within tomcat installation. If you are really concerned about security and you have to run u

Jailrootting

2010-06-18 Thread Luca Gervasi
Hallo, I'm using Java(TM) SE Runtime Environment 1.6.0_20-b02 Java HotSpot(TM) 64-Bit Server VM) Apache Tomcat/6.0.26 (vanilla) is there a way to chroot each webapp in its actual context? Using a code like this: Process p = Runtime.getRuntime().exec("cat /etc/passwd"); Outp