-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregor,
On 6/22/2010 12:07 PM, Gregor Schneider wrote: > 2010/6/18 Mikolaj Rydzewski <m...@ceti.pl>: >> Luca Gervasi wrote: >>> >>> i can read my /etc/passwd from a malicious jsp. >>> Where can i find infos on limiting filesystem access / visibility ? >>> >> > > 1st thing to do: > > run tomcat as user "tomcat" (or whatever username u like) with > limited rights - that should at least fix the possibility to cat > /etc/passwd I've never seen a system where /etc/passwd wasn't world-readable. Otherwise, 'ls' doesn't even work well ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwhHDsACgkQ9CaO5/Lv0PAR+QCff+b9cxcFXFAd+lNdn6dH23UL Hj8Anj7MlbfXhEpefSz553Q5Z73d647v =aJ4q -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
