You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Renato Weiner <re...@yahoo.com> on 2002/02/25 19:13:05 UTC
Catalina with SecurityManager is possibly broken.
Hi all,
I found what I suppose to be a serious bug for whomever relays on running Catalina with a
Security Manager. It's not a vulnerability but it has the potencial to break several applications
like O'reilly's cos.jar ( upload ) and JSSE.
Description: security manager rules are not applied correctly to classes on /lib directory
Here are the steps to reproduce:
Create 2 classes:
--------------------
import java.io.*;
public class WriteFile {
public void write() throws IOException {
FileWriter fw = new FileWriter("/home/client/write_area/test.txt");
PrintWriter pw = new PrintWriter(fw);
pw.println("Testing security manager...");
pw.close();
fw.close();
}
}
--------------------
( create a jar: jar -cvf WriteFile.jar WriteFile.class )
--------------------
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import WriteFile;
public class SecManagerTest extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();
WriteFile wf = new WriteFile();
wf.write();
out.println("<HTML>");
out.println("<BODY>");
out.println("Security Manager works!!");
out.println("</BODY>");
out.println("</HTML>");
}
}
--------------------
Insert these lines after the catalina.policy file
grant codeBase "file:/home/client/-" {
permission java.io.FilePermission "/home/client/-", "read,write,delete";
permission java.util.PropertyPermission "*", "read";
};
Start catalina with:
./catalina.sh start -security
***** NOW THE TESTS ************
First test. Put WriteFile.class and SecManagerTest.class on /WEB-INF/classes
Try to execute the servlet. It works !!!
Second test. Put WriteFile.jar on /WEB-INF/lib ( and remove WriteFile.class from /classes ! ).
Restart Catalina. Try to access the servlet:
java.security.AccessControlException: access denied (java.io.FilePermission /home/client/write_area/teste.txt write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
at java.security.AccessController.checkPermission(AccessController.java:399)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkWrite(SecurityManager.java:978)
at java.io.FileOutputStream.(FileOutputStream.java:96)
at java.io.FileOutputStream.(FileOutputStream.java:62)
at java.io.FileWriter.(FileWriter.java:38)
at WriteFile.write(WriteFile.java:7)
at SecManagerTest.doGet(SecManagerTest.java:13)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
(...)
In Tomcat 3.3 beta 1, it works perfectly.
There is definitely something wrong with the Security Manager in Catalina.
Webhosting companies ans users that depends on the security manager cannot fully use Catalina ( again, everything works pretty well with Tomcat 3.3 ).
If you want me to test some patches let me know !!
Renato - Brazil
---------------------------------
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games