Mr. Weller,> Mr. Weller, >
Mr Seaver,
> I have fully attempted to restrict my JSP page's ability to read and
write
> files. my catalina.policy section currently looks like this:
>
> grant {
> permission java.io.FilePermission "<<ALL FILES>>", "read";
> permission java.io.FilePermission "<<ALL FILES>>", "write";
> permission java.io.FilePermission "<<ALL FILES>>", "execute";
> };
>
> this is obviously dangerous, and I have done everything in the "<<ALL
> FILES>>" section to get catalina to restrict the file privileges to a
couple
> of specific directories, such as:
>
> "/home/seaver/-"
>
> starting up catalina with the security manager produces no problem, but
the
> files im trying to write, refuse to be written, as if they can't be
written
> anywhere.
>
> With the "<<ALL FILES" token, it DOES work, so I must be missing
something
> here?
>
For example, I have a bean, that after downloading a compressed file, uses the unix program 'gunzip' to uncompress it:
String[] cmd = {"gunzip", "-f", file2}; Process proc = Runtime.getRuntime().exec(cmd); BufferedWriter output = new BufferedWriter(new OutputStreamWriter(proc.getOutputStream())); BufferedReader input = new BufferedReader(new InputStreamReader(proc.getInputStream())); BufferedReader error = new BufferedReader(new InputStreamReader(proc.getErrorStream()));
blah blah.
in my catalina.policy file I have this following section:
grant { permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.io.FilePermission "<<ALL FILES>>", "write"; permission java.io.FilePermission "/bin/gunzip", "execute"; permission java.io.FilePermission "/usr/bin/gunzip", "execute"; };
As you can see I am currently restricing ANY execution to the possible gunzip file my bean could be using.
The catalina.out log file indeed logs the failure in execution in the method that's trying to use gunzip..
Mar 20, 2003 1:52:23 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on port 80
java.security.AccessControlException: access denied (java.io.FilePermission
<<ALL FILES>> execute)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
at
java.security.AccessController.checkPermission(AccessController.java:401)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.SecurityManager.checkExec(SecurityManager.java:799)
at java.lang.Runtime.exec(Runtime.java:563)
at java.lang.Runtime.exec(Runtime.java:491)
at java.lang.Runtime.exec(Runtime.java:457)
at
edu.northwestern.ls.monster.UploadBean2.pdbDownload(UploadBean2.java:283)But that's besides the question, WHY does the execution of gunzip fail when i have it safely listed in catalina.policy??
Thanks Sam
_________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
