You'll have the same effect in other servlet containers as well, but you're
able to restrict this with a policy file as described in this link
http://www.caucho.com/resin-3.1/doc/securitymanager.xtp

I haven't used a security-manager so far as it's simply not necessary when
your own applications are hosted by a Resin server. AFAIK, people reported
difficulties to configure a security-manager in resin-3.1's configuration
file, but if that's the case for you consider http://bugs.caucho.com or
contact this list again.

Regards,
Steffen


2007/12/27, Mktg. Incorporate Fast <[EMAIL PROTECTED]>:
>
>  Hi Steffen,
>
>
>
> You can put the following code onto any JSP page and it will show you the
> contents of the /etc/passwd file (or replace below with location of any
> file).  I may have some glaring config issue with Resin, and I hope that I
> do.
>
>
>
> Help, Help, Help.
>
>
>
> <[EMAIL PROTECTED] import="java.io.*" %>
>
> <%
>
>
>
>             String _filecontent = "";
>
>             String _resultmsg = "";
>
>             File file = new File("/etc/passwd");
>
>
>
>                 FileInputStream fis = null;
>
>                 BufferedInputStream bis = null;
>
>                 DataInputStream dis = null;
>
>
>
>                 try {
>
>                   fis = new FileInputStream(file);
>
>
>
>                   // Here BufferedInputStream is added for fast reading.
>
>                   bis = new BufferedInputStream(fis);
>
>                   dis = new DataInputStream(bis);
>
>
>
>                   // dis.available() returns 0 if the file does not have
> more lines.
>
>                   while (dis.available() != 0) {
>
>
>
>                   // this statement reads the line from the file and print
> it to
>
>                     // the console.
>
>                    _filecontent += (dis.readLine());
>
>                   }
>
>
>
>                   // dispose all the resources after using them.
>
>                   fis.close();
>
>                   bis.close();
>
>                   dis.close();
>
>
>
>                 } catch (FileNotFoundException e) {
>
>                         _resultmsg += e.toString();
>
>                 } catch (IOException e) {
>
>                         _resultmsg += e.toString();
>
>                 }
>
>             out.print(_filecontent);
>
>             out.print(_resultmsg);
>
> %>
>
>
>  ------------------------------
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Steffen Busch
> *Sent:* Wednesday, December 26, 2007 2:33 PM
> *To:* General Discussion for the Resin application server
> *Subject:* Re: [Resin-interest] Jail/ Chroot / Security
>
>
>
> What do you mean by "With java the host can still view any file on the
> server" ?
>
> Usually, you've got web-app(s) in virtual hosts serving content and/or
> providing an application. If you say "view any file", does this mean you
> have a directory listing where the files of the underlying filesystem are
> shown and are readable by the client? Beside the fact, that you can disable
> the directory-listing, you can restrict what a web-app can "do". You might
> want to look at
>
> http://www.caucho.com/resin-3.1/doc/security.xtp
>
> and http://www.caucho.com/resin-3.1/doc/securitymanager.xtp
>
> if you're talking about an ISP Environment.
>
>
>
> Regards,
>
> Steffen
>
>
>
>
> 2007/12/26, Mktg. Incorporate Fast <[EMAIL PROTECTED]>:
>
> I am looking for a way to prevent virtual hosts accessing any files
> outside of their host directory.
>
>
>
> I have tried to set the root directory but it does not work.  With java
> the host can still view any file on the server.
>
>
>
> Resin appears to have huge security flaws in this area.  Please, please,
> please help.
>
>
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
>
>
>
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
>
>
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to