Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
On Wed, Apr 16, 2003 at 10:03:47AM -0500, Jonathan King wrote:
>
> On Wed, 16 Apr 2003, Jason McIntosh wrote:
>
> > Ok, it looks like I've found what's going on. It seems the new Tomcat
> > system does not seem to follow symbolic links. As the WEB-INF/classes
> > was symlinked to ../../src, Tomcat couldn't find the source files and
> > bombed out.
>
> [snip]
>
> > And I can understand maybe why they did so, such as security issues,
> > but at least you'd think someone would have seen it before hand.
>
> OK, so I'm just a bit curious about how this policy is supposed to have a
> big effect on security. It would seem to me that to get the symlink there
> in the first place, you're going to need write permission in the
> particular directory, and if the bad guys have that, you're toast.
> Similarly, the bad guys are going to have to have write access to the
> directory containing the linked-to stuff, and it's the same story. If J.
> Random has access to your system, I'm not sure why exploiting symlinks
> would be the preferred method. So what am I missing?
>
It's the "airport screener" method of security: Anything that annoys the
user is by definition more secure.
Did you see this on ./? (google cache, the site's down)
http://216.239.37.100/search?q=cache:O6opM3x7UcAC:www.privacyinternational.org/activities/stupidsecurity/+stupid+security&hl=en&ie=UTF-8
Regards,
Mark
EMAIL:PROTECTED
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact