tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmanola...@yahoo.com
Subject RE: WEB-INF classloading and on the fly compilation
Date Mon, 18 Sep 2000 16:52:58 GMT
> 
> hell...YES. considering the problems/complaints caused by the breakage of
> tomcats session management (the not too random random number bug) it
> should be clear that everyone does have a security policy..or at least a
> notion of it. a webserver is the service thats most likely to be running
> on any machine - if the webserver gets r00ted thats the end of the box and
> your business. and tomcat DOES run as a webserver. personally if i thought
> tomcat was insecure i'd dump it for iPlanet/javawebserver in a
> flash.

The session management problem was minor compared with the admin problems
( admin was enabled by default with no password - as tomcat was intended
for development. )

> > Nobody disagreed with dynamic compilation ( and if you got this impression
> > from my mail than it's a sign I'm very bad at writting ). I just argued
> > about how to implement this - i.e. include everything in a WAR or make it
> > a server-provided service. 
> 
> IMHO dynamic compilation should be off by default if implemented..i think
> its a bad idea anyway. thats usually how stuff gets r00ted. i can easily
> write a servlet with a System call, upload it somehow and your dynamic
> compilation will cause r00ting of the machine instantly. tomcat runs as
> root on many systems anyway...a "rm -rf /" would not be nice on a
> production box. dump it in a WAR and put a big OFF switch with a warning
> notice or at least make sure we can get rid of it easily if need be.

Dynamic compilation is not so wrong if the Policy is enabled and is
restrictive enough. As long as the webapp has a java.policy with the same
rights as applets - nothing bad should happen.

But if we start to make holes - add permission to create arbitrary  class
loaders, all extra permissions required by complex programs like javac and
whatever else may end up in the WAR - then nobody can make any guarantee.

At least the applet-restricted sandbox was tested ( and even there, many
holes found and fixed !). 

Again - it's about how do you implement dynamic compilation and all the
sophisticated template systems ( jsp included ). (so far jasper works fine
with the sandbox )

Costin


Mime
View raw message