The servlet container usually have default security policies defined, which
can easily be changed. Eg for tomcat, look at conf/catalina.policy.
Am not sure what facilities ogsi containers provide in this area though?
2009/4/22 Jukka Zitting jukka.zitt...@gmail.com
Hi,
I was thinking about the
Hi,
Jukka Zitting schrieb:
Hi,
I was thinking about the implications of giving a user write access to
a subtree of the repository. With that access the user could now
upload a new script and create a node that invokes that script when
rendered.
What if the script contains something like
This is an interesting one for us, since all users will have write
access to the repository.
Is there an 'execute' permission in sling, or perhaps even an
equivalent to the no execute mount option in posix. I see some
extensions to the DefaultAccessControlManager looming.
Ian
On 22 Apr
Hi,
On Wed, Apr 22, 2009 at 12:40 PM, Torgeir Veimo torg...@pobox.com wrote:
The servlet container usually have default security policies defined, which
can easily be changed. Eg for tomcat, look at conf/catalina.policy.
What would such a policy file look like, i.e. what codeBase should be
Hi,
Torgeir Veimo schrieb:
The servlet container usually have default security policies defined, which
can easily be changed. Eg for tomcat, look at conf/catalina.policy.
Am not sure what facilities ogsi containers provide in this area though?
OSGi containers basically also depend on standard
Hi,
Ian Boston schrieb:
This is an interesting one for us, since all users will have write
access to the repository.
Is there an 'execute' permission in sling, or perhaps even an equivalent
to the no execute mount option in posix. I see some extensions to the
DefaultAccessControlManager
Hi Jukka,
On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting jukka.zitt...@gmail.com wrote:
...I was thinking about the implications of giving a user write access to
a subtree of the repository. With that access the user could now
upload a new script and create a node that invokes that script
Bertrand Delacretaz wrote:
Hi Jukka,
On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting jukka.zitt...@gmail.com
wrote:
...I was thinking about the implications of giving a user write access to
a subtree of the repository. With that access the user could now
upload a new script and create a
Hi,
Carsten Ziegeler schrieb:
Bertrand Delacretaz wrote:
Hi Jukka,
On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting jukka.zitt...@gmail.com
wrote:
...I was thinking about the implications of giving a user write access to
a subtree of the repository. With that access the user could now
On Wed, Apr 22, 2009 at 1:42 PM, Felix Meschberger fmesc...@gmail.com wrote:
Hi,
Carsten Ziegeler schrieb:
...scripts are
only picked
up from configured paths (libs and apps by default). So as long as the
user is not allowed to write in these locations, everything should be fine.
Well,
Felix,
That sounds like it would address the issue of accepting scripts from
trusted sources but would not, make the scripts safe as per your
original post.
On System.exit itself
I cant remember if the runtime shutdown handler can veto System.exit,
although the damage will already be
On Wed, Apr 22, 2009 at 12:41 PM, Felix Meschberger fmesc...@gmail.com wrote:
Hi,
Jukka Zitting schrieb:
Hi,
I was thinking about the implications of giving a user write access to
a subtree of the repository. With that access the user could now
upload a new script and create a node that
Hi,
On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra tri...@day.com wrote:
System.exit() bears IMO no real risk, since it can be prevented by
java security.
I'd like to see the relevant java security settings. With all the OSGi
stuff, JCR bundle loading, and script compiling in place I think
Hi,
Jukka Zitting schrieb:
Hi,
On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra tri...@day.com wrote:
System.exit() bears IMO no real risk, since it can be prevented by
java security.
I'd like to see the relevant java security settings. With all the OSGi
stuff, JCR bundle loading, and
On Wed, Apr 22, 2009 at 2:44 PM, Jukka Zitting jukka.zitt...@gmail.com wrote:
Hi,
On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra tri...@day.com wrote:
System.exit() bears IMO no real risk, since it can be prevented by
java security.
I'd like to see the relevant java security settings.
15 matches
Mail list logo