oss-sec mailing list archives
Re: Running Java across a privilege boundry
From: Russ Allbery <eagle () eyrie org>
Date: Sat, 22 Nov 2014 09:25:31 -0800
Tim Brown <tmb () 65535 com> writes:
Does anyone know of any obvious cases where Java is executed across a privilege boundary? I'm specifically thinking of cases where it might be executed via sudo, via another set[ug]id binary or where it gets called from an untrusted working directory i.e. one not owned by the calling user?
"sudo service tomcat6 restart" would be a pretty obvious example that I suspect is not uncommon in server environments. In general, Java is a general-purpose programming language, so I think there are plenty of examples of this just like there are with any other programming language. Any large system written in Java probably has a few Java command-line tools or ways to spawn Java daemons, and in the normal course of setting up a system, it's likely that someone is granting access to run those tools via sudo. -- Russ Allbery (eagle () eyrie org) <http://www.eyrie.org/~eagle/>
Current thread:
- Running Java across a privilege boundry Tim Brown (Nov 22)
- Re: Running Java across a privilege boundry Russ Allbery (Nov 22)
- Re: Running Java across a privilege boundry Marc Chadwick (Nov 22)
- Re: Running Java across a privilege boundry Russ Allbery (Nov 22)
- Re: Running Java across a privilege boundry Tim Brown (Nov 22)
- Re: Running Java across a privilege boundry Solar Designer (Nov 23)
- Re: Running Java across a privilege boundry Solar Designer (Nov 25)
- Re: Running Java across a privilege boundry Solar Designer (Dec 08)
- Re: Running Java across a privilege boundry Tim Brown (Dec 18)
- Re: Running Java across a privilege boundry Jakub Wilk (Dec 18)
- Re: Running Java across a privilege boundry Martin Carpenter (Dec 18)
- Re: Running Java across a privilege boundry Jakub Wilk (Dec 18)
- Re: Running Java across a privilege boundry Marc Chadwick (Nov 22)
- Re: Running Java across a privilege boundry Russ Allbery (Nov 22)