Jean-Luc:
Thanks for the reply. I have restructed my JServ so each developer is in a
separate zone. This fixes one of my security concerns. I found the
following FAQ:
Can I use different UIDs/GIDs for different servlets or virtual hosts?
Yes, you can! The complete separation between the web server and the server
engine allows you to connect multiple servlet engines to the same web
server. If these servlet engines are started in standalone mode using the
wrapper with different UID/GID, you end up having multiple secured servlet
environments. Of course, this requires a different JVM for each secured
servlet environment. For this reason, future releases will include a
servlet sandbox to guarantee a comfortable security level without requiring
multiple JVMs.
Well, this sounds like a fix for my last security concern and you have
mentioned this in your email. So, how do you run each zone with it's own
JVM and set the UID/GID?
At 09:44 AM 3/12/99 +0100, Jean-Luc Rochat wrote:
>Hi Brian,
>
>For your information, you should have a look at zone configuration, which
>allows you to start different JVM (manually) under different userid/gid.
>
>Jean-Luc
>
>"Brian S. Wallace" wrote:
>
>> Hi:
>>
>> We have a security concern about servlets running as the web server
>> UID/GID. Also, every developer in the same zone can access all of the
>> other servlets in that zone, right? This means adding a new zone each
>time
>> a new developer wants to do a project on our central server.
>>
>> I've been looking through the online documents and I see suggestions
such
>> as putting each developer in a separate zone and/or running multiple
>> JServs. From my point of view as a system manager, this creates a very
>> complicated system when you have multiple developers using central
>servers
>> (which is our case).
>>
>> There is mention of future changes to JServ to allow control of UID/GID
>via
>> the configuration files. Can someone elaborate on this? We currently
>run
>> our Apache servers with special UID/GID's and we also use CGIWrap to
>> restrict what developer's CGI programs can do.
>>
>> We have three main central web servers and dozens of developers. So
far,
>I
>> have found this concept of zones and mount points to be very confusing
>and
>> difficult to setup. Am I the only one that feels this way? Is this a
>> design thing driven by the way Java works or what?
>>
>> Thanks for your help,
>>
>> Brian S. Wallace
>>
>> Oak Ridge National Laboratory
>> P. O. Box 2008, MS 6394
>> Oak Ridge, Tennessee 37831-6394
>>
>> Voice (423) 576-3193
>> Fax (423) 574-5323
>>
>> http://www-internal.ornl.gov/~xsw/
>>
>> ----------------------------------------------------------------
>> To subscribe: [EMAIL PROTECTED]
>> To unsubscribe: [EMAIL PROTECTED]
>> Archives and Other: <http://www.working-dogs.com/>
>> Problems?: [EMAIL PROTECTED]
>
>
>
>----------------------------------------------------------------
>To subscribe: [EMAIL PROTECTED]
>To unsubscribe: [EMAIL PROTECTED]
>Archives and Other: <http://www.working-dogs.com/>
>Problems?: [EMAIL PROTECTED]
>
Brian S. Wallace
Oak Ridge National Laboratory
P. O. Box 2008, MS 6394
Oak Ridge, Tennessee 37831-6394
Voice (423) 576-3193
Fax (423) 574-5323
http://www-internal.ornl.gov/~xsw/
----------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://www.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
