tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roberto B." <robe...@ipermedianet.com>
Subject Re: Tomcat before Apache
Date Mon, 20 Aug 2001 08:13:17 GMT
Stop!  Stop!.. I wanted to say that I'm the Root user !!

----- Original Message -----
From: "Pier P. Fumagalli" <pier@betaversion.org>
To: <tomcat-user@jakarta.apache.org>
Sent: Friday, August 17, 2001 6:56 PM
Subject: Re: Tomcat before Apache


> Guys. If you wanted to scare the hell out of me, you succeeded... ARE WE
> GOING TO SUGGEST TO OUR USERS TO RUN TOMCAT AS ROOT? ARE YOU ALL NUTS?
>
> Ok, it's good code, but I wouldn't trust not even my mother with root
access
> on my machine... Starting it from the RC scripts will mean that TOMCAT is
> called as root....
>
> I'm attaching a little C script that degradates the process to a specified
> user before execuing it. To compile do "gcc -O2 safexec.c -o safexec" and
to
> run, (for example catalina) do:
>
> safexec username $CATALINA_HOME/bin/catalina.sh start
>
> It's written for Solaris, but it should work also on Linux (maybe some
> compilation warning of some kind)... DO NOT INSTALL IT W/ SUID PRIVILEGES,
> otherwise anyone will be able to break into your machine _easily_... 'K?
>
> Let's try to be a LITTLE BIT security conscious here...
>
>     Pier (in these days turned into a security freak!)
>
> --- This is
safexec.c: -----------------------------------------------------
>
> #include <sys/types.h>
> #include <unistd.h>
> #include <string.h>
> #include <errno.h>
> #include <stdio.h>
> #include <pwd.h>
>
> int main(int argc, char *argv[]) {
>     struct passwd *user=NULL;
>     char **args=NULL;
>     int x;
>
>     if (argc<3) {
>         fprintf(stderr, "Usage: %s [user] [command] [...]\n",argv[0]);
>         return(1);
>     }
>
>     user=getpwnam(argv[1]);
>
>     if (setgid(user->pw_gid)!=0) {
>         fprintf(stderr, "%s cannot set requested user/group id\n",
argv[0]);
>         return(2);
>     }
>
>     if (setuid(user->pw_uid)!=0) {
>         fprintf(stderr, "%s cannot set requested user/group id\n",
argv[0]);
>         return(2);
>     }
>
>     args=(char **)malloc((argc-1)*sizeof(char *));
>     for (x=2; x<argc; x++) args[x-2]=argv[x];
>     args[argc-1]=NULL;
>
>     execvp(argv[2], args);
>     fprintf(stderr, "%s: %s: %s\n", argv[0], argv[2], strerror(errno));
> }
>
> --- End of
safexec.c: ------------------------------------------------------
>


Mime
View raw message