Re: [PROPOSAL] Tomcat 4.1 Security Changes
Remy Maucherat wrote: If you give the appropriate permissions to allow SSI and CGI, you're actually giving AllPermissions anyway (since you're allowing a native script or executable to run, which is not constrained by the Java sandbox), so I'm missing the point here. Yes, once control is handed over to a native executable from the CGI servlet, all sandbox protections are lost. But perhaps the Tomcat admin only wants to allow the user to execute specific CGI scripts which are known to be secure and can not be modified. By configuring a policy for the CGI servlet the admin can restrict what CGI scripts can be read and executed using a FilePermission. Yes, you could do that. That's still quite risky (any vulnerability in the script itself, and your server is compromised). This seems reasonable. (Of course, it's going to break all the scripts yet again ;-)) Which scripts? - The Catalina scripts (obviously) - The installer scripts - My Slide build script But it's ok, really. It's not like it's the first time or the last time it happens ;-) You can do the updates to the Catalina scripts, and I'll do the rest. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [PROPOSAL] Tomcat 4.1 Security Changes
Currently, all supporting jar files for servlets which come with Tomcat 4 are placed in the $CATALINA_HOME/server/lib directory with the Tomcat 4 core jar files. This is a potential security problem because the default catalina.policy grants AllPermission to all jar files located in $CATALINA_HOME/server/lib. I don't think the default policy for these servlets should be AllPermission. Especially for the SSI and CGI servlets. If you give the appropriate permissions to allow SSI and CGI, you're actually giving AllPermissions anyway (since you're allowing a native script or executable to run, which is not constrained by the Java sandbox), so I'm missing the point here. To make the default catalina.policy more secure and make configuring security policies easier, I recommend the following changes: 1. Create $CATALINA_HOME/servlets/lib and $CATALINA_HOME/servlets/classes. This is where global servlets provided with Tomcat 4 can be installed. 2. Move the following jar files into $CATALINA_HOME/servlets/lib servlets-cgi.renametojar servlets-common.jar servlets-default.jar servlets-invoker.jar servlets-manager.jar servlets-snoop.jar servlets-ssi.jar This one is disabled by default too. servlets-webdav.jar 3. Update the class loader creation in Bootstrap.java for the catalina loader to look for jar files and classes in $CATALINA_HOME/servlets in addition to $CATALINA_HOME/server. 4. Update the default catalina.policy so that it provides explicit permissions for each jar file in $CATALINA_HOME/servlets/lib. 5. Update the documentation regarding the above changes. Please vote +1 so I can implement the above changes. This seems reasonable. (Of course, it's going to break all the scripts yet again ;-)) Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
