You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Luca Gervasi <to...@ashetic.net> on 2010/06/18 10:46:14 UTC
Jailrootting
Hallo,
I'm using
Java(TM) SE Runtime Environment 1.6.0_20-b02 Java HotSpot(TM) 64-Bit
Server VM)
Apache Tomcat/6.0.26 (vanilla)
is there a way to chroot each webapp in its actual context?
Using a code like this:
Process p = Runtime.getRuntime().exec("cat /etc/passwd");
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
i can read my /etc/passwd from a malicious jsp.
Where can i find infos on limiting filesystem access / visibility ?
Is there a way to "obscure" all the unnecessary details from each
webapp? (maybe, choosing the permission on <Context> bases...).
Thanks.
Luca Gervasi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Jailrootting
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Christopher Schultz wrote:
> I've never seen a system where /etc/passwd wasn't world-readable.
> Otherwise, 'ls' doesn't even work well ;)
>
I saw a free shell server once. There was some kind of linux kernel hack
implemented, that used to filter /etc/passwd to display only system
accounts and yours.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Jailrootting
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Luca,
On 6/23/2010 3:18 AM, Luca Gervasi wrote:
> Hi guys, thanks for answering me.
>
> Tomcat uses a low privilege user and the system-wide permissions are
> thus enforced by OS but...i can still read all the istance-wide files
> (tomcat-users.xml, server.xml and any other 644 file).
>
> I'm starting to read about SecurityManager, but i think that this should
> be the answer i was looking for :)
If you don't trust your webapps, your options are as previously-stated:
SecurityManager and/or chroot jail for Tomcat/JVM.
Using a chroot jail won't prevent hostile/untrustworthy webapps from
reading server.xml, etc. so the SecurityManager is really the way to go.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwie+EACgkQ9CaO5/Lv0PB/+QCdFd3VK23wh7myZiR2tLpINf3D
0h4AoKIOhdWx0c7YoK+0p5Wus+AMIfyn
=R9Ge
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Jailrootting
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Luca Gervasi wrote:
> Tomcat uses a low privilege user and the system-wide permissions are
> thus enforced by OS but...i can still read all the istance-wide files
> (tomcat-users.xml, server.xml and any other 644 file).
>
What is your scenario for running webapps? Are you going to run
third-party untrusted code (free hosting?), or anything else? In most
cases jail/chroot and accout with limited privileges are sufficient enough.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Jailrootting
Posted by Luca Gervasi <to...@ashetic.net>.
On Tue, 2010-06-22 at 16:25 -0400, Christopher Schultz wrote:
> On 6/22/2010 12:07 PM, Gregor Schneider wrote:
> > 2010/6/18 Mikolaj Rydzewski <mi...@ceti.pl>:
> >> Luca Gervasi wrote:
> >>>
> >>> i can read my /etc/passwd from a malicious jsp.
> >>> Where can i find infos on limiting filesystem access / visibility ?
> >>>
> >>
> >
> > 1st thing to do:
> >
> > run tomcat as user "tomcat" (or whatever username u like) with
> > limited rights - that should at least fix the possibility to cat
> > /etc/passwd
>
> I've never seen a system where /etc/passwd wasn't world-readable.
> Otherwise, 'ls' doesn't even work well ;)
>
Hi guys, thanks for answering me.
Tomcat uses a low privilege user and the system-wide permissions are
thus enforced by OS but...i can still read all the istance-wide files
(tomcat-users.xml, server.xml and any other 644 file).
I'm starting to read about SecurityManager, but i think that this should
be the answer i was looking for :)
Thanks
Luca
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Jailrootting
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gregor,
On 6/22/2010 12:07 PM, Gregor Schneider wrote:
> 2010/6/18 Mikolaj Rydzewski <mi...@ceti.pl>:
>> Luca Gervasi wrote:
>>>
>>> i can read my /etc/passwd from a malicious jsp.
>>> Where can i find infos on limiting filesystem access / visibility ?
>>>
>>
>
> 1st thing to do:
>
> run tomcat as user "tomcat" (or whatever username u like) with
> limited rights - that should at least fix the possibility to cat
> /etc/passwd
I've never seen a system where /etc/passwd wasn't world-readable.
Otherwise, 'ls' doesn't even work well ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwhHDsACgkQ9CaO5/Lv0PAR+QCff+b9cxcFXFAd+lNdn6dH23UL
Hj8Anj7MlbfXhEpefSz553Q5Z73d647v
=aJ4q
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Jailrootting
Posted by Gregor Schneider <rc...@googlemail.com>.
2010/6/18 Mikolaj Rydzewski <mi...@ceti.pl>:
> Luca Gervasi wrote:
>>
>> i can read my /etc/passwd from a malicious jsp.
>> Where can i find infos on limiting filesystem access / visibility ?
>>
>
1st thing to do:
run tomcat as user "tomcat" (or whatever username u like) with
limited rights - that should at least fix the possibility to cat
/etc/passwd
cheers
gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Jailrootting
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Luca Gervasi wrote:
> i can read my /etc/passwd from a malicious jsp.
>
> Where can i find infos on limiting filesystem access / visibility ?
>
Google for SecurityManager. Check conf/catalina.policy file within
tomcat installation.
If you are really concerned about security and you have to run
untrustred java code than you should run every webapp in chroot/jail
within it's own JVM.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org