User Security
Written by Joseph Ottinger
If you allow users on your system, you're potentially opening up security holes. Period.
Many webservers, such as Apache, use UNIX features to change the userid to a normally safe user id (in other words, a very restricted user id) to prevent abuse. Java, however, has no concept of a user, because Java is cross-platform and some platforms don't have any real user (such as Win98, which uses the term "user" very loosely.)
To change the user, you'll need to download this file and unpack it. (If this link doesn't work, try this one instead.)
The contents of the file:
native_user_support/ native_user_support/readme.txt native_user_support/source/ native_user_support/source/Makefile native_user_support/source/NativeSupportImp.c native_user_support/source/NativeSupport.h native_user_support/source/com/ native_user_support/source/com/evermind/ native_user_support/source/com/evermind/server/ native_user_support/source/com/evermind/server/NativeSupport.java native_user_support/source/TestUserChange.java native_user_support/binaries/ native_user_support/binaries/redhat-6.2/ native_user_support/binaries/redhat-6.2/liborion.so native_user_support/binaries/solaris-7/ native_user_support/binaries/solaris-7/liborion.so native_user_support/binaries/TestUserChange.class native_user_support/binaries/com/ native_user_support/binaries/com/evermind/ native_user_support/binaries/com/evermind/server/ native_user_support/binaries/com/evermind/server/NativeSupport.class
Copy the binary file that's appropriate for your platform
(the .so file) to your Orion directory as
liborion.so, then start Orion with
-Djava.library.path=/path/to/orion
-Dnative.user=username like so:
java -Djava.library.path=/path/to/orion -Dnative.user=myuser -jar orion.jar
Note that this effectively cripples Orion for some uses, as Orion is able to correct and rewrite configuration files.. but often, not as the replacement user.
Orion really isn't designed to serve user directories, being
a professional application server. However, it does support
user directories. This does, however, introduce a problem of
security. For one thing, the JVM on the server side can do
nearly anything it likes as whatever it runs as (normally, the
system administrator), so this is an obvious security hole. For
another, users can actually shut down the webserver themselves,
by simply executing System.exit(0); in a JSP
file.
The workaround? Use the undocumented -secure
flag. This will require a change in your JRE's security
settings. This is still in testing, so you may notice some
oddities; report them to
bugs@orionserver.com.
Copyright © 2007 IronFlare AB