tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Jailrootting
Date Tue, 22 Jun 2010 20:25:31 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gregor,

On 6/22/2010 12:07 PM, Gregor Schneider wrote:
> 2010/6/18 Mikolaj Rydzewski <miki@ceti.pl>:
>> Luca Gervasi wrote:
>>>
>>> i can read my /etc/passwd from a malicious jsp.
>>> Where can i find infos on limiting filesystem access / visibility ?
>>>
>>
> 
> 1st thing to do:
> 
> run tomcat as user "tomcat" (or whatever username u like)  with
> limited rights - that should at least fix the possibility to cat
> /etc/passwd

I've never seen a system where /etc/passwd wasn't world-readable.
Otherwise, 'ls' doesn't even work well ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwhHDsACgkQ9CaO5/Lv0PAR+QCff+b9cxcFXFAd+lNdn6dH23UL
Hj8Anj7MlbfXhEpefSz553Q5Z73d647v
=aJ4q
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message