> Firstly, our site specification requires a file upload > section. I've just confirmed that it's possible to upload > a JSP file, and have its code interpreted by Jrun. Not > good at all. 8-( My preferred fix is to have the uploads > go into their own directory, which Jrun is configured > *not* to execute files from. Does anyone know a way to > exclude a sub-tree in this way? I've examined the > configuration section of Drew Falkman's book, but can't > see anything relevant.
I think this would be a matter of Apache configuration. I'm more familiar with IIS; in IIS, you can disable the use of scripts and/or executables within a single directory from within the IIS management console. I'm very sure you can do the same in Apache, but I'm not 100% sure how you'd do it. I suspect you might do something like this: <Directory /var/www/somedirectory> Options None </Directory> You might want to read the Apache documentation for more details, or a more correct answer. If this works for you, please let me know. > The second really relates to the JRE. It will insist on > running as user 'root.' Who'd have thought that of Sun? > It's not like they are UN*X newbies, after all. I've > tried setting the java executable to be suid 'apache,' > but then it fails to run due to not finding an essential > library. A long search of the Web only brought up > files about the need to install as root, nothing about > preventing it from running as him. I don't have a clue about that. Sorry. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=8 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
