Hi All,

Dan Tran wrote, concerning my security worries:

David, I have tried this but base on my knowlege about unit file system
security, i would suggest you to install both JRE and JRUN under a non
root user id.
Reinstalling on my 'test' server allowed me to start jrun as the user I'd installed as. Now I didn't want to do all that on the working model, but it gave me some clues about where to look.

If I make all the files in /opt/Jrun/logs owned by apache, then I can start Jrun as that user. It appears that it was only write permission to the logs that was preventing me. There are a couple of details though. For some reason using 'su' to change users doesn't work, but 'sudo' does. Odd, but not important I think. Secondly, Jrun attempts to write to 'nohup.out' in whatever your current working directory is. So I have to cd to /opt/Jrun/logs first.

So our programmer has made the upload form reject jsps, and anything executed doesn't have sufficient privileges to trash the whole server.

Ideally, I still need to have a directory which jrun won't try to execute anything from. Is there any way to do that? As a last resort we could access the uploaded files from another virtual server, which is handled by apache alone. Doing it in a config option would minimise the reprogramming involved though.

Anyone know?

--

David Spacey

[EMAIL PROTECTED]

Reply via email to