Re: [Php-java-bridge-users] Debian's security manager tomcat X SELinux

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Andre,

I am moving to Hamburg , so I probably won't have much time until next week.

The attachment didn't come through, btw. My telefone cannot decode base64
attachments, yet. I assume that you have added some rules to allow php to
execute scripts.

But I am not yet convinced that a strict java policy is worth the trouble.
The biggest security hole is php itself, not some missing java policy.

Regards,
Jost Boekemeier

Apr 30, 2009 5:22 nachm. schrieb am <
php...@li...>:

<3af...@ma...>
<200...@te...> <
3af...@ma...>
Message-ID: <c9c697971c219098321333260d0499fd@localhost>
X-Sender: and...@te...
Received: from 161.148.54.70 [161.148.54.70] with HTTP/1.1 (POST); Thu, 30
Apr
       2009 04:23:36 -0300
User-Agent: RoundCube Webmail/0.1
Content-Type: multipart/mixed;
       boundary="=_dc5421aa863da9665eab1d712707c42b"

--=_dc5421aa863da9665eab1d712707c42b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

Hello, Jost

I tested today against Tomcat 5.5 with the attached

/etc/tomcat5.5/policy.d/60JavaBridge.policy

with ideas taken from project's /server/javabridge.policy and

it worked with auto-deploy of JavaBridge.war, using

bridge deb package compiled from cvs.

The file is not at the repository, yet (will include the gpl

header at least).

Unfortunately I will likely not have time to test against

Debian Tomcat 6.x until next week.

The debian package at cvs is prepared to work with tomcat 5.5,

so I expect some effort ahead to debug this.

A regular debian package installing files at tomcat system lib dir

should be avoided whenever possible.

As it is working at the debian tomcat5.5 with auto-deploying, I will

try to test with debian tomcat 6 and get it working in similar way.

I am not a security expert, so if the tomcat security is not enough,

will have to package the javabridge selinux configurations.

I guess there is a debian way to package these configs too.

Regards.

Andre Felipe Machado

http://www.techforce.com.br

On Thu, 30 Apr 2009 08:28:12 +0200,

php...@li... wrote:

> Hi Andre,

>

> I have just tested it on a tomcat 6.0.18 running with -security switched

> on.

> It stops the PhpCGIServlet from executing /bin/sh.

>

> This can be solved by removing the JavaBridge.jar, php-servlet.jar and

> php-script.jar from the application "JavaBridge.war", and adding them to

> the

> shared library dir TOMCAT_HOME/lib/ instead. Neither additional security

> declarations nor manipulations of global, shared XML files are necessary

> to

> fix this problem.

>

> It is true that PHP scripts may do foolish things like killing all other

> running php scripts, <?php system("killall php")?>, or even its own java

> container, <?php system("killall java");?>, but Java security doesn't

> help.

> The best way to secure PHP scripts is to use "Security Enhanced Linux"

> rules. RedHat Fedora and Enterprise Linux already contains these rules.

> Rules for the PHP/Java Bridge are contained in the security folder of the

> redhat RPM, and applied when the RPM is installed.

>

> Regards,

> Jost Boekemeier

--=_dc5421aa863da9665eab1d712707c42b
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream; name="60JavaBridge.policy";
charset="UTF-8"
Content-Disposition: attachment; filename="60JavaBridge.policy"

IyBDb3B5cmlnaHQgKEMpIDIwMDkgIEFuZHJlIEZlbGlwZSBNYWNoYWRvIDxhbmRyZW1hY2hhZG9A
dGVjaGZvcmNlLmNvbS5icj4KIyBhbmQgcGhwLWphdmEtYnJpZGdlIHByb2plY3QgaHR0cDovL3Bo
cC1qYXZhLWJyaWRnZS5zb3VyY2Vmb3JnZS5uZXQKCiMgVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29m
dHdhcmU6IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkKIyBpdCB1bmRlciB0
aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBi
eQojIHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb24sIGVpdGhlciB2ZXJzaW9uIDMgb2YgdGhl
IExpY2Vuc2UsIG9yCiMgYW55IGxhdGVyIHZlcnNpb24uCiMKIyBUaGlzIHByb2dyYW0gaXMgZGlz
dHJpYnV0ZWQgaW4gdGhlIGhvcGUgdGhhdCBpdCB3aWxsIGJlIHVzZWZ1bCwKIyBidXQgV0lUSE9V
VCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgojIE1F
UkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRS4gIFNlZSB0
aGUKIyBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBmb3IgbW9yZSBkZXRhaWxzLgojCiMgWW91
IHNob3VsZCBoYXZlIHJlY2VpdmVkIGEgY29weSBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExp
Y2Vuc2UKIyBhbG9uZyB3aXRoIHRoaXMgcHJvZ3JhbS4gIElmIG5vdCwgc2VlIDxodHRwOi8vd3d3
LmdudS5vcmcvbGljZW5zZXMvPi4KCgovLyBUaGlzIHBocC1qYXZhLWJyaWRnZSBzZWN1cml0eSBp
cyB0b28gcGVybWlzc2l2ZSBhbmQgc3VpdGFibGUgZm9yIGRldmVsb3BtZW50IHRlc3RzIG9ubHku
Ci8vIEZvciBwcm9kdWN0aW9uIGVudmlyb25tZW50IGEgbW9yZSBzdHJpY3Qgc2VjdXJpdHkgaXMg
bmVlZGVkLgovLyBUaGlzIGZpbGUgd2FzIHRlc3RlZCBhdCBwbGFjZW1lbnQ6Ci8vIC9ldGMvdG9t
Y2F0NS41L3BvbGljeS5kLzYwSmF2YUJyaWRnZS5wb2xpY3kKLy8gUGxlYXNlLCBjb250cmlidXRl
IHlvdXIgc2VjdXJpdHkgY29uZmlndXJhdGlvbiB0byB0aGUgcGhwLWphdmEtYnJpZGdlIHByb2pl
Y3QuCi8vIEFzIG9mIHBocC1qYXZhLWJyaWRnZSA1LjQuNC4yLCB0aGUgSmF2YSBlbmdpbmUgc2Vj
dXJpdHkgaXMgbm90IGFjdHVhbGx5IGVub3VnaCBmb3IKLy8gYmxvY2tpbmcgbWFsaWNpb3VzIGNv
ZGUgZnJvbSBwaHAuIFRoZSByZWFsIHNvbHV0aW9uIHNob3VsZCBiZSB1c2luZyAKLy8gU2VjdXJp
dHkgRW5oYW5jZWQgTGludXggcG9saWNpZXMuCgpncmFudCBjb2RlQmFzZSAiZmlsZToke2NhdGFs
aW5hLmJhc2V9L3dlYmFwcHMvSmF2YUJyaWRnZS8tIiB7IHBlcm1pc3Npb24gamF2YS5zZWN1cml0
eS5BbGxQZXJtaXNzaW9uOyB9OwoKLy8gRm9yIGRldmVsb3BtZW50IG9ubHksIHlvdSBtYXkgZXZl
biBjb21tZW50IG91dCB0aGUgZm9sbG93aW5nIGNvbmZpZ3VyYXRpb246CgpncmFudCB7CiAgcGVy
bWlzc2lvbiBqYXZhLmlvLkZpbGVQZXJtaXNzaW9uICIke3VzZXIuaG9tZX0key99LSIsICJyZWFk
LHdyaXRlLGRlbGV0ZSI7CiAgcGVybWlzc2lvbiBqYXZhLmlvLkZpbGVQZXJtaXNzaW9uICIke2ph
dmEuaW8udG1wZGlyfSR7L30tIiwgInJlYWQsd3JpdGUsZGVsZXRlIjsKICBwZXJtaXNzaW9uIGph
dmEuaW8uRmlsZVBlcm1pc3Npb24gIiR7amF2YS5ob21lfSR7L30tIiwgInJlYWQiOwogIHBlcm1p
c3Npb24gamF2YS51dGlsLlByb3BlcnR5UGVybWlzc2lvbiAiKiIsICJyZWFkIjsKICBwZXJtaXNz
aW9uIGphdmEubGFuZy5SdW50aW1lUGVybWlzc2lvbiAiZ2V0Q2xhc3NMb2FkZXIiOwogIHBlcm1p
c3Npb24gamF2YS5sYW5nLlJ1bnRpbWVQZXJtaXNzaW9uICJhY2Nlc3NDbGFzc0luUGFja2FnZS5z
dW4udG9vbHMuKiI7Cn07Cgo=
--=_dc5421aa863da9665eab1d712707c42b--

------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
php-java-bridge-users mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/php-java-bridge-users