[OT] RE: Tomcat + Hibernate2 + Security Manager

Tue, 27 Jan 2004 13:17:24 -0800 

Could you give an example of how a malicious code could affect the security of the JVM 
? 

Usually I have a codebase policy like this for each user:

permission java.io.FilePermission "/home/client/public_html/-", "read,write,delete";

I guess that if someone writes a piece of code that tries to acess private functions, 
static variables, etc from other libraries in different directories, this policy will 
intercept the request and the malicious code will not work. Am I right ? Is there a 
way that somebody could write code that uses the catalina classes in order to do 
something bad ?


On Tue, 27 Jan 2004 12:04:21 -0500, "Shapira, Yoav" <[EMAIL PROTECTED]> escreveu:

> De: "Shapira, Yoav" <[EMAIL PROTECTED]>
> Data: Tue, 27 Jan 2004 12:04:21 -0500
> Para: "Tomcat Users List" <[EMAIL PROTECTED]>
> Assunto: RE: Tomcat + Hibernate2 + Security Manager
> 
> 
> Howdy,
> 
> >I know this is a little bit out of topic, but the general concept is
> useful
> >for everybody.
> 
> I agree this is useful for everyone.  Posting off-topic is fine as long
> as you mark it by placing [OFF-TOPIC] at the beginning of the subject
> line.
> 
> >Note: I DID test using a codebase like:
> >
> >grant codeBase "file:/home//client/public_html/WEB-
> >INF/lib/hibernate2.jar!/-" {
> >....
> >
> >but the classes hibernate creates after reflection stop obeying the
> >security manager.
> 
> Yeah, that's too bad.  The SuppressAccessChecks permission is dangerous,
> if malicious code is running inside your VM.
> 
> Yoav Shapira
> 
> 
> 
> This e-mail, including any attachments, is a confidential business communication, 
> and may contain information that is confidential, proprietary and/or privileged.  
> This e-mail is intended only for the individual(s) to whom it is addressed, and may 
> not be saved, copied, printed, disclosed or used by anyone else.  If you are not 
> the(an) intended recipient, please immediately delete this e-mail from your computer 
> system and notify the sender.  Thank you.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to