The only really clean & secure way (but as I think most complicated patch) would be allow access only to the files & locations which are entered somewhere in the config file.
If this was possible, you could put your files even outside of the assp directorys (e.g. a common logfile directory) and still have a secure system. Every other solution is only a workaround which could lead to more problems (so think about some bad guy could edit the Maillog.txt to campflage the configurations changes without a trace or something which will added in future) Matti g> On 8/18/06, Micheal Espinola Jr <[EMAIL PROTECTED]> wrote: >> [EMAIL PROTECTED] wrote: >> > Do we need to be that restrictive? >> > >> >> No, and we shouldn't be due to the customizable configuration of ASSP. >> >> > Also, I've just discovered that we need .db files in there. Currently you >> > can't look at your >> > pb/.db files through the interface. >> > >> >> Good point. I missed that as well. >> >> > Remind me what we're trying to do here? >> >> Too much apparently. :-) Although, if possible, I think it would be >> safer to restrict access to specific file types. We just need an >> accurate list. >> g> Frankly I think it would be fine to just limit ASSP to it's own g> directory and sub-folders. g> Hard coding a list of files would just be restrictive and a pain to g> update and maintain unless we took away the option to set the file g> names to whatever you wanted. g> Then we could control what files can and can not be accessed by ASSP. g> But i don't like that either since it would have to be maintained for g> new features etc. g> Just my 2cents g> Kevin g> ------------------------------------------------------------------------- g> Using Tomcat but need to do more? Need to support web services, security? g> Get stuff done quickly with pre-integrated technology to make your job easier g> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo g> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 g> _______________________________________________ g> Assp-user mailing list g> [email protected] g> https://lists.sourceforge.net/lists/listinfo/assp-user -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
