Re: Java allows root access without permission?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

  On 10/27/2010 01:14 PM, Athmane Madjoudj wrote:
> On 10/27/2010 09:07 PM, Deepak Bhole wrote:
>> * Michael Cronenworth<mike@xxxxxxxxxx>   [2010-10-27 16:00]:
>>> Fedora 13 x86_64 with OpenJDK (not Sun) installed.
>>>
>>> I was required to login to a web site today to configure a VPN and the
>>> site installed a Cisco VPN Java applet. When it was finished installing
>>> and was running I noticed the processes where running as root and had
>>> installed into /opt. I had not given it my root password or any
>>> permission to do so. It did not install any RPM package. It was all
>>> driven by a Java applet.
>>>
>>> $ ps -efw #id 502 is me
>>> 502       4791  2668  0 11:16 ?        00:00:19
>>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/../../bin/java
>>> sun.appl
>>> root      4923     1  0 11:16 ?        00:00:00 /opt/cisco/vpn/bin/vpnagentd
>>>
>>> Is this something "allowed" by some configuration setting in OpenJDK
>>> somewhere? I'd like to turn off this "feature" ASAP.
>>>
>> Such a thing should/would not be allowed. Applets run as normal users
>> and escalated privileges would imply a severe security violation in the
>> base os itself.
>>
>> How did you install/run the applet?
>>
>> Deepak
>>
> I have tried the following applet:
>
> http://www.java.com/en/download/help/testvm.xml
>
> ps aux | grep java
>
> shows only me (not root) as user .
>
> isn't related to "/opt/cisco/vpn/bin/vpnagentd" which runs as root ?
>
But that was not Deepak's question.
He is asking how did you get the applet to run in the first place.
You are stating in the original post:
 >> I was required to login to a web site today to configure a VPN and the
 >> site installed a Cisco VPN Java applet.
But we are missing the details of what you actually did to cause this
root-privileged applet to be installed and then what you did to agree
to it's running. This is crucial information.


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux