tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Gervasi <>
Subject Jailrootting
Date Fri, 18 Jun 2010 08:46:14 GMT

I'm using 
Java(TM) SE Runtime Environment  1.6.0_20-b02  Java HotSpot(TM) 64-Bit
Server VM)
Apache Tomcat/6.0.26 (vanilla)

is there a way to chroot each webapp in its actual context? 

Using a code like this:

        Process p = Runtime.getRuntime().exec("cat /etc/passwd");

        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                disr = dis.readLine();

i can read my /etc/passwd from a malicious jsp. 

Where can i find infos on limiting filesystem access / visibility ?

Is there a way to "obscure" all the unnecessary details from each
webapp? (maybe, choosing the permission on <Context> bases...).


Luca Gervasi

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message