On Wed, Jan 16, 2002 at 11:59:53PM -0500, Richard Gordon wrote: > At 10:55 PM -0500 1/16/02, Ben Parker wrote: > >If you manage to install Webware from FTP or SCP access only, you can > >always > >use popen() from within a servlet to execute any command as if you were in > >a > >shell. > > That's interesting as I would have thought (and hoped) that you would > at least have to figure out a way to change to a privileged user id > before you could start issuing system commands. Don't servlets run as > user Nobody just like cgi?
Any user can spawn an external command via os.popen() or os.system(), as long as you have execute permission on that command. You'd also need execute permission on the directory the command is in and every parent directory to the top (on Unix). Normal systems are set up so that anybody can run any command. Security is done either explicitly (the command aborts itself if run by an inappropriate user) or de facto (the command tries to open a file for writing and fails). Several shells have a "restricted shell" feature such that if the sysadmin enables it on your login shell, you cannot cd outside your home directory (not even to a subdirectory), can't change your PATH, and can't run a command containing a slash (/). This limits you to whatever commands the sysadmin has placed in your PATH. I suppose a sysadmin could with some custom tweaking do something along those lines for CGI scripts. As Ian said, servlets run as whatever user you started the AppServer as. -- -Mike (Iron) Orr, [EMAIL PROTECTED] (if mail problems: [EMAIL PROTECTED]) http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
