Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 42781 invoked from network); 18 Jun 2010 09:43:25 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 18 Jun 2010 09:43:25 -0000 Received: (qmail 52754 invoked by uid 500); 18 Jun 2010 09:43:22 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 52261 invoked by uid 500); 18 Jun 2010 09:43:17 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 52244 invoked by uid 99); 18 Jun 2010 09:43:16 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Jun 2010 09:43:16 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of miki@ceti.pl designates 62.121.128.52 as permitted sender) Received: from [62.121.128.52] (HELO relay.ceti.pl) (62.121.128.52) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Jun 2010 09:43:07 +0000 Received: from tau.ceti.pl (tau.ceti.pl [62.121.128.11]) by relay.ceti.pl (Postfix) with ESMTP id 15AC0D54E8 for ; Fri, 18 Jun 2010 11:42:47 +0200 (CEST) Received: from [192.168.100.105] (unknown [80.54.134.16]) by tau.ceti.pl (Postfix) with ESMTP id C06EE202FE7 for ; Fri, 18 Jun 2010 11:42:46 +0200 (CEST) Message-ID: <4C1B3F96.7040206@ceti.pl> Date: Fri, 18 Jun 2010 11:42:46 +0200 From: Mikolaj Rydzewski User-Agent: Thunderbird 2.0.0.24 (X11/20100411) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Jailrootting References: <1276850774.2183.39.camel@localhost.localdomain> In-Reply-To: <1276850774.2183.39.camel@localhost.localdomain> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Luca Gervasi wrote: > i can read my /etc/passwd from a malicious jsp. > > Where can i find infos on limiting filesystem access / visibility ? > Google for SecurityManager. Check conf/catalina.policy file within tomcat installation. If you are really concerned about security and you have to run untrustred java code than you should run every webapp in chroot/jail within it's own JVM. -- Mikolaj Rydzewski --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org