[Bug 253691] Review Request: java-1.7.0-icedtea - IcedTea runtime and development environments
bugzilla at redhat.com
bugzilla at redhat.com
Fri Aug 24 01:03:48 UTC 2007
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: java-1.7.0-icedtea - IcedTea runtime and development environments
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253691
------- Additional Comments From fitzsim at redhat.com 2007-08-23 21:02 EST -------
(In reply to comment #15)
> Is it sensible to drop java-rmi.cgi in cgi-bin considering that it's puprose is
> to tunnel rmi to any host/port bypassing any local firewall? Here is what
> http://java.sun.com/developer/onlineTraining/rmi/RMI.html says about it:
>
> "Additionally, using the java-rmi.cgi script exposes a fairly large security
> loophole on your server machine, as now, the script can redirect any incoming
> request to any port, completely bypassing your firewalling mechanism."
>
> IMHO it would be better to install it somewhere else, anyone that needs to use
> it will have to modify it anyway to restrict to specific ports at the minimum so
> it's more of an example than a usefull application.
What about just restricting all ports in the default configuration? I put
java-rmi.cgi in its own subpackage so that it is completely optional, and to
isolate the cgibindir requirement. Other options would be to move the script to
the demo subpackage or just not include it in the IcedTea packages.
Is the java-rmi.cgi script actually deployed frequently, or is it just meant as
a demo for system administrators? The comments seem to suggest that it's useful
in practice and not just a demo. If it's actually deployed frequently, I'd like
to keep the subpackage + cgibindir requirement + all ports locked down. This
minimizes the fiddling needed to get the script working while still providing
out-of-the-box security. On the other hand, if java-rmi.cgi is just a toy then
it should go in the demo subpackage and we can drop the cgibindir requirement in
favour of a README.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the package-review
mailing list