Re: symlinks and security (was Re: [MLUG] Found tomcat problem)

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: MLUG Members <EMAIL:PROTECTED>
Subject: Re: symlinks and security (was Re: [MLUG] Found tomcat problem)
From: Jason McIntosh <EMAIL:PROTECTED>
Date: Wed, 16 Apr 2003 13:31:13 -0500
In-reply-to: <EMAIL:PROTECTED>
List-archive: <http://mlug.missouri.edu/pipermail/members>
List-help: <mailto:EMAIL:PROTECTED>
List-id: MLUG Members <members.mlug.missouri.edu>
List-post: <mailto:EMAIL:PROTECTED>
List-subscribe: <http://mlug.missouri.edu/mailman/listinfo/members>,<mailto:EMAIL:PROTECTED>
List-unsubscribe: <http://mlug.missouri.edu/mailman/listinfo/members>,<mailto:EMAIL:PROTECTED>
Reply-to: MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED

It's a mounted NFS system. The symlink is all on the same system. I should probably have tried hardlinks and seen if that worked, but I just modified the filesystem. I did after realizing this was a symlink problem find an article stating it was in the release notes on 4.1. I of course wasn't reading the release notes. Additionally, there's a way to re-enable symlinks if need be through a config option.
As for chrooting, Tomcat doesn't do that, in that I have to specify full path settings for some of my various settings.
Jason

On Wednesday, April 16, 2003, at 12:40 PM, EMAIL:PROTECTED wrote:

I would suspect it's a chroot issue. If the symlink is to something outside of the chroot sandbox the server won't even be able to see it. Do symlinks work if they are to something else within the chroot filesystem? i.e. ../../src is outside ../ but ../src is not. There might be a way to change the behavior of symlinks beyond a chroot, but it would be discouraged.
I forget the name of the other projects that do similar things to chroot. So just take chroot to mean any alternative/virtual root directory system.
-Stuart
===Original Message===
Date: Wed, 16 Apr 2003 10:03:47 -0500 (CDT)
From: Jonathan King <EMAIL:PROTECTED>
Subject: symlinks and security (was Re: [MLUG] Found tomcat problem)

On Wed, 16 Apr 2003, Jason McIntosh wrote:

Ok, it looks like I've found what's going on. It seems the new Tomcat system does not seem to follow symbolic links. As the WEB-INF/classes was symlinked to ../../src, Tomcat couldn't find the source files and bombed out.

[snip]

And I can understand maybe why they did so, such as security issues, but at least you'd think someone would have seen it before hand.

OK, so I'm just a bit curious about how this policy is supposed to have a
big effect on security. It would seem to me that to get the symlink there
in the first place, you're going to need write permission in the
particular directory, and if the bad guys have that, you're toast.
Similarly, the bad guys are going to have to have write access to the
directory containing the linked-to stuff, and it's the same story. If J.
Random has access to your system, I'm not sure why exploiting symlinks
would be the preferred method. So what am I missing?
jking
---
EMAIL:PROTECTED _______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

/--------------------------------------|---------------------------\ | Jason McIntosh | CELL: 573-424-7612 | | Webmaster, thinker, Programmer, etc. | WORK: 573-884-3865 | | http://poetshome.com/ | | |------------------------------------------------------------------| |"How should I know if it works? That's what beta testers are | |for. I only coded it." | |(Attributed to Linus Torvalds, somewhere in a posting) | \--------------------------------------|---------------------------/ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux) mQGiBD5AMRERBACcxAJ7hiB6udEDefnAksb49o6BDVC2bxdUTwkxP9jS0BmLqbQL egYYt09WjEJtn4eRuVdkku7A0fi/G8NIsXnE9oMKnWkqg2tjQ8q65D64Cass5zEU WG6j8qABpxpZNP9HGSTqm0yeYTR9f0dGaS6jZbxgme6hU0XDOGH3ug6/qwCg0j1h gYkkNl3jbPuwtpCrTIxSUYsD/0J18alKrswomFJfoRgjA7S9AezlV7YJoU3dCLSV 6D19SAVwmseTRltJm0S8e8Yf6Bq9l+1OdsJCHtT+HYBVuB0PmL8PDhJg6vAzIZlt 5c3hkfJrSSCssRSMBIr+8Hl2HBU4tKB79L2cI3Nrij+5DJTVzIa5QpvsFDAIO2Cp Ma/hA/9vOPY2PyoAWKb3JAQV8T2h7/rjzePxOv0WYI2/6THdgh2lLUP+GJ4FdH76 I/8d+qtiAzul/Zq2LkFvpejnu41dDZn+yhgsVTkz/xTRKWQX9sOud0QjvyN0nHD9 KqisFRgs1ByINQcWNK8KpwgLcBRLVS4EALDn5R6yL6AT6poT7bQ8SmFzb24gTWNJ bnRvc2ggKFByb2dyYW1tZXIvQW5hbHlzdCkgPE1jSW50b3NoSkBtaXNzb3VyaS5l ZHU+iF8EExECAB8FAj5AMREFCQHhM4AECwcDAgMVAgMDFgIBAh4BAheAAAoJEGZP +3FaGjd1P9IAoJQL5kaHEjG1TNVSt20bAXDx/DzmAJ4pVTDnpWUPNCxk+/kMBlGe bO97ObkCDQQ+QDEfEAgAjl6vRTDWrMTUfXyngnWAgU/3wRZmjcKONhCGcpqFOFR/ 2CiMeeJOnNXgSzrPxIfUJphlh00vBm1K/ngllg3MGFI9hOffuLuHXiw8e/Yc87uz YdtglWHeUz/9YQCe4ndKohtk7nZHUoxQd5OspJxYJH5J5cysSuH2V839NtNPJKBZ ai0VhyTFZKD3v9xTC8ZyMEO022bpkhWz1cs/9l5z4g2eg7mOwe+hJstMQFHk77Zr GbkPwi+gWwM/b2pxigz1xhQpHpR5HrO/4yM8zWYZHUbUGwxiuTJqKktFEVUKUFDD xopIpOAMOy0qVs+wXS5buJSduSgDxPmKq0xZFsJiZwADBwgAi66pXMCTolMQzn50 MAs9KRK6+3XphI+InmzfN+/OVknwzkAkGhRfisYI0DyN/26wSkn+zyoE87NBuUQt xtcNOpwwxS2WCqBx3PhtpVJ6yvaeFmSe3QC2lUf8418B2C6GR/e6IOPNhVW1cnhP IR0/yY8c8zQrJxEZNhBtj2SrkLY6Ps7j97lI8n+u21YC2/a5P3TPCa3x0w0m0APB zJrhXuNGwPcNtxqKZDz7m9KuROSijx0Xm1buQkGfDZqkqA1D8ljN2vdA+jx/v1eq H27iXk2iZ+i8bOyoiflniKh6nrd2UlVPvzmLscpiUf0rEGQuBV0Sq5AUUqO7MQM+ L8jCYYhMBBgRAgAMBQI+QDEfBQkB4TOAAAoJEGZP+3FaGjd1yhMAnjAwU37EIok3 WZu1BXhaD9y1ryjBAKC7fnv7AdrVrxdXkmdgdA5jxUFXOg== =ueqZ -----END PGP PUBLIC KEY BLOCK-----

Attachment: PGP.sig
Description: PGP signature

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

References:
- RE: symlinks and security (was Re: [MLUG] Found tomcat problem)
  - From: EMAIL:PROTECTED

Prev by Date: RE: [MLUG] php as cgi script
Next by Date: Re: [MLUG] php as cgi script
Previous by thread: Re: symlinks and security (was Re: [MLUG] Found tomcat problem)
Next by thread: [MLUG] php as cgi script
Index(es):
- Date
- Thread