Anonymous | Login | Signup for a new account | 12-17-2024 10:29 PST |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0002201 | [Resin] | major | always | 11-22-07 11:52 | 11-30-07 15:14 | ||||
Reporter | ckchris | View Status | public | ||||||
Assigned To | ferg | ||||||||
Priority | normal | Resolution | fixed | ||||||
Status | closed | Product Version | 3.1.3 | ||||||
Summary | 0002201: Security issue with starting up multiple resin instances in cluster mode | ||||||||
Description |
Normal/unauthorized users are able to start up and shutdown individual server instances without any restrictions. I have been toying around with creating two clusters running on the same machine, each with its own <server> (cluster a, server a and cluster b, server b) running on separate srun ports. I have user-name set to change from root to resin for the servers. Watchdog process runs as root. So if you look at the process tree, it will look something like this: root 19266 0.0 1.3 278620 45208 pts/1 Sl 04:07 0:03 /usr/java/jdk1.5.0_14/bin/java -Djava.util.logging.manager=com.c resin 20179 6.5 8.2 933960 278436 pts/1 Sl 11:09 0:22 \_ /usr/java/jdk1.5.0_14/bin/java -Djava.util.logging.manager=c resin 20221 9.8 2.1 861036 73812 pts/1 Sl 11:14 0:04 \_ /usr/java/jdk1.5.0_14/bin/java -Djava.util.logging.manager=c Server a has an http port configured to be 80. Server b is running only a srun server that gets used through a rewrite-dispatch from server a. The Security Problem ======================== *) If no instances are running, a normal user cannot start up resin without hitting a "binding address" error since port 80 requires superuser access. This works as expected. *) If watchdog process is started to run either server a or b as root, then everything starts up fine. *) Once watchdog process is started, a normal user is able to start and stop server a at will that binds to port 80 with no problems. This is because the watchdog process is running as root. It appears that the watchdog process is listening for any commands asking it to start up any instances without security checks. Since it's running as root, it's possible that once a watchdog process is started as root, any user can ask the watchdog process to start any resin instances and bind the http to listen on any ports under 1024. This security risk can probably be mitigated by running watchdog process as a normal "resin" user, but that would of course require the firewall configuration, which is not preferred. However, even with the watchdog running as a normal "resin" user, any user can still ask resin to start up any instances that can then inadvertently give them access to resin state information and logs in the server root directory (ie. session.db and cache.db and admin data). Normally, these are not readable by the world so normal users can't see them, but if they can start up any resin instance that can be run under the same watchdog process, they can create servlets to read into the resin-own directories with no problems. There is one thing that I noticed. The server that's started will only run under the same watchdog process if, I believe, the same server-root directory, config, and others are used. I am not sure though. If this is the case, then the security risk is a bit lower. This means that I can simply make the resin.conf file unreadable by the world and everything should be ok. -Chris Chen |
||||||||
Additional Information | JDK 1.5_12 on Linux CentOS 5 | ||||||||
Attached Files | |||||||||
|
Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed. 26 unique queries executed. |