The root security issue has been addressed in JRUN 4 -D ----- Original Message ----- From: "David Spacey" <[EMAIL PROTECTED]> To: "JRun-Talk" <[EMAIL PROTECTED]> Sent: Monday, January 13, 2003 7:03 AM Subject: JSP security issues
> Hi All, > > I act as administrator on a Redhat 7.1 system running Jrun 3.1 with the > Sun JRE. I've spotted some security issues, which I could use some > advice on. > > Firstly, our site specification requires a file upload section. I've > just confirmed that it's possible to upload a JSP file, and have its > code interpreted by Jrun. Not good at all. 8-( My preferred fix is > to have the uploads go into their own directory, which Jrun is > configured *not* to execute files from. Does anyone know a way to > exclude a sub-tree in this way? I've examined the configuration > section of Drew Falkman's book, but can't see anything relevant. > > The second really relates to the JRE. It will insist on running as > user 'root.' Who'd have thought that of Sun? It's not like they are > UN*X newbies, after all. I've tried setting the java executable to be > suid 'apache,' but then it fails to run due to not finding an essential > library. A long search of the Web only brought up files about the need > to install as root, nothing about preventing it from running as him. > > The potential of those two vulnerabilities together is *quite* > unnerving. > > Does anyone know of a solution to either problem? > > TIA > > -- > > David Spacey > > [EMAIL PROTECTED] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=8 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
