Hi Steffen,
You can put the following code onto any JSP page and it will show you the contents of the /etc/passwd file (or replace below with location of any file). I may have some glaring config issue with Resin, and I hope that I do. Help, Help, Help. <[EMAIL PROTECTED] import="java.io.*" %> <% String _filecontent = ""; String _resultmsg = ""; File file = new File("/etc/passwd"); FileInputStream fis = null; BufferedInputStream bis = null; DataInputStream dis = null; try { fis = new FileInputStream(file); // Here BufferedInputStream is added for fast reading. bis = new BufferedInputStream(fis); dis = new DataInputStream(bis); // dis.available() returns 0 if the file does not have more lines. while (dis.available() != 0) { // this statement reads the line from the file and print it to // the console. _filecontent += (dis.readLine()); } // dispose all the resources after using them. fis.close(); bis.close(); dis.close(); } catch (FileNotFoundException e) { _resultmsg += e.toString(); } catch (IOException e) { _resultmsg += e.toString(); } out.print(_filecontent); out.print(_resultmsg); %> _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steffen Busch Sent: Wednesday, December 26, 2007 2:33 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] Jail/ Chroot / Security What do you mean by "With java the host can still view any file on the server" ? Usually, you've got web-app(s) in virtual hosts serving content and/or providing an application. If you say "view any file", does this mean you have a directory listing where the files of the underlying filesystem are shown and are readable by the client? Beside the fact, that you can disable the directory-listing, you can restrict what a web-app can "do". You might want to look at http://www.caucho.com/resin-3.1/doc/security.xtp and http://www.caucho.com/resin-3.1/doc/securitymanager.xtp if you're talking about an ISP Environment. Regards, Steffen 2007/12/26, Mktg. Incorporate Fast <[EMAIL PROTECTED]>: I am looking for a way to prevent virtual hosts accessing any files outside of their host directory. I have tried to set the root directory but it does not work. With java the host can still view any file on the server. Resin appears to have huge security flaws in this area. Please, please, please help. _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest