On 10/27/2010 01:14 PM, Athmane Madjoudj wrote: > On 10/27/2010 09:07 PM, Deepak Bhole wrote: >> * Michael Cronenworth<mike@xxxxxxxxxx> [2010-10-27 16:00]: >>> Fedora 13 x86_64 with OpenJDK (not Sun) installed. >>> >>> I was required to login to a web site today to configure a VPN and the >>> site installed a Cisco VPN Java applet. When it was finished installing >>> and was running I noticed the processes where running as root and had >>> installed into /opt. I had not given it my root password or any >>> permission to do so. It did not install any RPM package. It was all >>> driven by a Java applet. >>> >>> $ ps -efw #id 502 is me >>> 502 4791 2668 0 11:16 ? 00:00:19 >>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/../../bin/java >>> sun.appl >>> root 4923 1 0 11:16 ? 00:00:00 /opt/cisco/vpn/bin/vpnagentd >>> >>> Is this something "allowed" by some configuration setting in OpenJDK >>> somewhere? I'd like to turn off this "feature" ASAP. >>> >> Such a thing should/would not be allowed. Applets run as normal users >> and escalated privileges would imply a severe security violation in the >> base os itself. >> >> How did you install/run the applet? >> >> Deepak >> > I have tried the following applet: > > http://www.java.com/en/download/help/testvm.xml > > ps aux | grep java > > shows only me (not root) as user . > > isn't related to "/opt/cisco/vpn/bin/vpnagentd" which runs as root ? > But that was not Deepak's question. He is asking how did you get the applet to run in the first place. You are stating in the original post: >> I was required to login to a web site today to configure a VPN and the >> site installed a Cisco VPN Java applet. But we are missing the details of what you actually did to cause this root-privileged applet to be installed and then what you did to agree to it's running. This is crucial information. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
