OrionSupport, User security

User security

Written by Joseph Ottinger

If you allow users on your system, you're potentially opening up security holes. Period. 1 Changing Orion's User ID Many webservers, such as {link:Apache|http://www.apache.org/}, use UNIX features to change the userid to a normally safe user id (in other words, a very restricted user id) to prevent abuse. Java, however, has no concept of a user, because Java is cross-platform and some platforms don't have any real user (such as Win98, which uses the term "user" very loosely.) To change the user, you'll need to download {link:this file|http://www.orionserver.com/distributions/native_user_support.tar.gz} and unpack it. (If this link doesn't work, try {link:this one|http://www.orionsupport.com/archive/native_user_support.tar.gz} instead.) The contents of the file: {code} native_user_support/ native_user_support/readme.txt native_user_support/source/ native_user_support/source/Makefile native_user_support/source/NativeSupportImp.c native_user_support/source/NativeSupport.h native_user_support/source/com/ native_user_support/source/com/evermind/ native_user_support/source/com/evermind/server/ native_user_support/source/com/evermind/server/NativeSupport.java native_user_support/source/TestUserChange.java native_user_support/binaries/ native_user_support/binaries/redhat-6.2/ native_user_support/binaries/redhat-6.2/liborion.so native_user_support/binaries/solaris-7/ native_user_support/binaries/solaris-7/liborion.so native_user_support/binaries/TestUserChange.class native_user_support/binaries/com/ native_user_support/binaries/com/evermind/ native_user_support/binaries/com/evermind/server/ native_user_support/binaries/com/evermind/server/NativeSupport.class {code} Copy the binary file that's appropriate for your platform (the .so file) to your Orion directory as __liborion.so__, then start Orion like so: {code} java -Djava.library.path=/path/to/orion -Dnative.user=myuser -jar orion.jar {code} Note that this effectively cripples Orion for some uses, as Orion is able to correct and rewrite configuration files.. but often, not as the replacement user. 1 Protecting Orion Against Malicious Users Orion really isn't designed to serve user directories, being a professional application server. However, it does support user directories. This does, however, introduce a problem of security. For one thing, the JVM on the server side can do nearly anything it likes as whatever it runs as (normally, the system administrator), so this is an obvious security hole. For another, users can actually shut down the webserver themselves, by simply executing __System.exit(0);__ in a JSP file. The workaround? Use the undocumented __-secure__ flag. This will require a change in your JRE's security settings. This is still in testing, so you may notice some oddities; report them to {link:bugs@orionserver.com|mailto:bugs@orionserver.com}.