On Tue, 2010-06-22 at 16:25 -0400, Christopher Schultz wrote: > On 6/22/2010 12:07 PM, Gregor Schneider wrote: > > 2010/6/18 Mikolaj Rydzewski <m...@ceti.pl>: > >> Luca Gervasi wrote: > >>> > >>> i can read my /etc/passwd from a malicious jsp. > >>> Where can i find infos on limiting filesystem access / visibility ? > >>> > >> > > > > 1st thing to do: > > > > run tomcat as user "tomcat" (or whatever username u like) with > > limited rights - that should at least fix the possibility to cat > > /etc/passwd > > I've never seen a system where /etc/passwd wasn't world-readable. > Otherwise, 'ls' doesn't even work well ;) >
Hi guys, thanks for answering me. Tomcat uses a low privilege user and the system-wide permissions are thus enforced by OS but...i can still read all the istance-wide files (tomcat-users.xml, server.xml and any other 644 file). I'm starting to read about SecurityManager, but i think that this should be the answer i was looking for :) Thanks Luca --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
