tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Gervasi <tom...@ashetic.net>
Subject Jailrootting
Date Fri, 18 Jun 2010 08:46:14 GMT
Hallo,

I'm using 
Java(TM) SE Runtime Environment  1.6.0_20-b02  Java HotSpot(TM) 64-Bit
Server VM)
Apache Tomcat/6.0.26 (vanilla)

is there a way to chroot each webapp in its actual context? 

Using a code like this:

        Process p = Runtime.getRuntime().exec("cat /etc/passwd");

        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr);
                disr = dis.readLine();
                }
        }

i can read my /etc/passwd from a malicious jsp. 

Where can i find infos on limiting filesystem access / visibility ?

Is there a way to "obscure" all the unnecessary details from each
webapp? (maybe, choosing the permission on <Context> bases...).

Thanks.

Luca Gervasi


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message