You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/01/06 12:43:48 UTC
svn commit: r609294 - in /tomcat/tc6.0.x/trunk: STATUS.txt
conf/catalina.policy webapps/docs/changelog.xml
Author: markt
Date: Sun Jan 6 03:43:46 2008
New Revision: 609294
URL: http://svn.apache.org/viewvc?rev=609294&view=rev
Log:
Fix CVE-2007-5342. Restrict JULI permissions.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/conf/catalina.policy
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=609294&r1=609293&r2=609294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Jan 6 03:43:46 2008
@@ -31,12 +31,6 @@
+1: jfclere
-1: fhanik - Can we add the 'package' directive to make the package match the dir structure
-* Fix CVE-2007-5342
- JULI permissions need to be restricted
- http://svn.apache.org/viewvc?rev=606594&view=rev
- +1: markt,funkman, pero, yoavs
- -1:
-
* Fix http://issues.apache.org/bugzilla/show_bug.cgi?id=43868
MBean methods getInvoke() and getSetter() were broken
http://svn.apache.org/viewvc?rev=607483&view=rev
Modified: tomcat/tc6.0.x/trunk/conf/catalina.policy
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/conf/catalina.policy?rev=609294&r1=609293&r2=609294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/conf/catalina.policy (original)
+++ tomcat/tc6.0.x/trunk/conf/catalina.policy Sun Jan 6 03:43:46 2008
@@ -62,7 +62,19 @@
// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- permission java.security.AllPermission;
+ permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.util.logging.LoggingPermission "control";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+ permission java.lang.RuntimePermission "getClassLoader";
+ // To enable per context logging configuration, permit read access to the appropriate file.
+ // Be sure that the logging configuration is secure before enabling such access
+ // eg for the examples web application:
+ // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=609294&r1=609293&r2=609294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Jan 6 03:43:46 2008
@@ -35,6 +35,9 @@
<section name="Tomcat 6.0.16 (remm)">
<subsection name="General">
<changelog>
+ <fix>
+ Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)
+ </fix>
<update>
Fix handling of CometEvent.close when called during BEGIN event (fhanik)
</update>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r609294 - in
/tomcat/tc6.0.x/trunk: STATUS.txt conf/catalina.policy
webapps/docs/changelog.xml
Posted by Remy Maucherat <re...@apache.org>.
On Sun, 2008-01-13 at 22:38 +0000, Mark Thomas wrote:
> Remy Maucherat wrote:
> > On Fri, 2008-01-11 at 13:27 -0500, Larry Isaacs wrote:
> >>> I used java.security.debug=failure. The NPE isn't visible without it
> >>> (and nothing gets logged). I also did try adding various file
> >>> permissions, without much success.
> >>>
> >>> Rémy
> >>>
> >> If I recall correctly, the "failure" option unfortunately doesn't do
> >> anything by itself. I believe you have to have "access" enabled before
> >> it will include any failures, i.e "java.security.debug=access,failure".
> >> There's no avoiding the huge log file. :(
> >
> > Actually, it's quite funny since the NPEs do not occur with
> > "access,failure", and no accesses are reported as denied (but of course,
> > there's still no logging).
>
> Hmm. Very odd. A bug in the JDK maybe?
Ok, I just found the reason: a packaging issue of my own, causing the
weird error :( Sorry for the trouble.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r609294 - in /tomcat/tc6.0.x/trunk: STATUS.txt conf/catalina.policy
webapps/docs/changelog.xml
Posted by Mark Thomas <ma...@apache.org>.
Remy Maucherat wrote:
> On Fri, 2008-01-11 at 13:27 -0500, Larry Isaacs wrote:
>>> I used java.security.debug=failure. The NPE isn't visible without it
>>> (and nothing gets logged). I also did try adding various file
>>> permissions, without much success.
>>>
>>> Rémy
>>>
>> If I recall correctly, the "failure" option unfortunately doesn't do
>> anything by itself. I believe you have to have "access" enabled before
>> it will include any failures, i.e "java.security.debug=access,failure".
>> There's no avoiding the huge log file. :(
>
> Actually, it's quite funny since the NPEs do not occur with
> "access,failure", and no accesses are reported as denied (but of course,
> there's still no logging).
Hmm. Very odd. A bug in the JDK maybe?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: svn commit: r609294 - in /tomcat/tc6.0.x/trunk: STATUS.txt
conf/catalina.policy webapps/docs/changelog.xml
Posted by Remy Maucherat <re...@apache.org>.
On Fri, 2008-01-11 at 13:27 -0500, Larry Isaacs wrote:
> > I used java.security.debug=failure. The NPE isn't visible without it
> > (and nothing gets logged). I also did try adding various file
> > permissions, without much success.
> >
> > Rémy
> >
>
> If I recall correctly, the "failure" option unfortunately doesn't do
> anything by itself. I believe you have to have "access" enabled before
> it will include any failures, i.e "java.security.debug=access,failure".
> There's no avoiding the huge log file. :(
Actually, it's quite funny since the NPEs do not occur with
"access,failure", and no accesses are reported as denied (but of course,
there's still no logging).
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: svn commit: r609294 - in /tomcat/tc6.0.x/trunk: STATUS.txt
conf/catalina.policy webapps/docs/changelog.xml
Posted by Larry Isaacs <La...@sas.com>.
> -----Original Message-----
> From: Remy Maucherat [mailto:remm@apache.org]
> Sent: Thursday, January 10, 2008 5:39 PM
> To: Tomcat Developers List
> Subject: Re: svn commit: r609294 - in /tomcat/tc6.0.x/trunk: STATUS.txt
> conf/catalina.policy webapps/docs/changelog.xml
>
> On Thu, 2008-01-10 at 20:07 +0000, Mark Thomas wrote:
> > Remy Maucherat wrote:
> > >
> > > On my platform [Linux + IcedTea], with the new policy in place, I
> get an
> > > error initializing a timestamp used by the FileHandler (why such a
> class
> > > ends up using a file like this is a mystery):
> >
> > Can you turn on the debugging so we can figure out which file it is.
> I'd
> > rather add a specific permission, or at least a limited one, rather
> than a
> > default read permission for java_home and every file below it
> (assuming
> > that is where the file it is trying to read is located).
>
> I used java.security.debug=failure. The NPE isn't visible without it
> (and nothing gets logged). I also did try adding various file
> permissions, without much success.
>
> Rémy
>
If I recall correctly, the "failure" option unfortunately doesn't do
anything by itself. I believe you have to have "access" enabled before
it will include any failures, i.e "java.security.debug=access,failure".
There's no avoiding the huge log file. :(
Cheers,
Larry
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r609294 - in /tomcat/tc6.0.x/trunk:
STATUS.txt conf/catalina.policy webapps/docs/changelog.xml
Posted by Remy Maucherat <re...@apache.org>.
On Thu, 2008-01-10 at 20:07 +0000, Mark Thomas wrote:
> Remy Maucherat wrote:
> >
> > On my platform [Linux + IcedTea], with the new policy in place, I get an
> > error initializing a timestamp used by the FileHandler (why such a class
> > ends up using a file like this is a mystery):
>
> Can you turn on the debugging so we can figure out which file it is. I'd
> rather add a specific permission, or at least a limited one, rather than a
> default read permission for java_home and every file below it (assuming
> that is where the file it is trying to read is located).
I used java.security.debug=failure. The NPE isn't visible without it
(and nothing gets logged). I also did try adding various file
permissions, without much success.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r609294 - in /tomcat/tc6.0.x/trunk: STATUS.txt conf/catalina.policy
webapps/docs/changelog.xml
Posted by Mark Thomas <ma...@apache.org>.
Remy Maucherat wrote:
>
> On my platform [Linux + IcedTea], with the new policy in place, I get an
> error initializing a timestamp used by the FileHandler (why such a class
> ends up using a file like this is a mystery):
Can you turn on the debugging so we can figure out which file it is. I'd
rather add a specific permission, or at least a limited one, rather than a
default read permission for java_home and every file below it (assuming
that is where the file it is trying to read is located).
Cheers,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r609294 - in /tomcat/tc6.0.x/trunk: STATUS.txt
conf/catalina.policy webapps/docs/changelog.xml
Posted by Remy Maucherat <re...@apache.org>.
On Sun, 2008-01-06 at 11:43 +0000, markt@apache.org wrote:
> // These permissions apply to the logging API
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> - permission java.security.AllPermission;
> + permission java.util.PropertyPermission "java.util.logging.config.class", "read";
> + permission java.util.PropertyPermission "java.util.logging.config.file", "read";
> + permission java.lang.RuntimePermission "shutdownHooks";
> + permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
> + permission java.util.PropertyPermission "catalina.base", "read";
> + permission java.util.logging.LoggingPermission "control";
> + permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
> + permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
> + permission java.lang.RuntimePermission "getClassLoader";
> + // To enable per context logging configuration, permit read access to the appropriate file.
> + // Be sure that the logging configuration is secure before enabling such access
> + // eg for the examples web application:
> + // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
> };
On my platform [Linux + IcedTea], with the new policy in place, I get an
error initializing a timestamp used by the FileHandler (why such a class
ends up using a file like this is a mystery):
Handler error
java.lang.NullPointerException
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:330)
at
java.security.AccessController.checkPermission(AccessController.java:556)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:550)
at java.lang.SecurityManager.checkRead(SecurityManager.java:889)
at java.io.File.exists(File.java:749)
at
sun.util.calendar.ZoneInfoFile.readZoneInfoFile(ZoneInfoFile.java:1034)
at
sun.util.calendar.ZoneInfoFile.createZoneInfo(ZoneInfoFile.java:575)
at
sun.util.calendar.ZoneInfoFile.getZoneInfo(ZoneInfoFile.java:545)
at sun.util.calendar.ZoneInfo.getTimeZone(ZoneInfo.java:600)
at java.util.TimeZone.getTimeZone(TimeZone.java:487)
at java.util.TimeZone.setDefaultZone(TimeZone.java:584)
at java.util.TimeZone.getDefaultRef(TimeZone.java:551)
at java.util.Date.normalize(Date.java:1194)
at java.util.Date.getYear(Date.java:650)
at java.sql.Timestamp.toString(Timestamp.java:291)
at org.apache.juli.FileHandler.configure(FileHandler.java:189)
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org