Java allows root access without permission?
Deepak Bhole
dbhole at redhat.com
Wed Oct 27 20:07:29 UTC 2010
* Michael Cronenworth <mike at cchtml.com> [2010-10-27 16:00]:
> Fedora 13 x86_64 with OpenJDK (not Sun) installed.
>
> I was required to login to a web site today to configure a VPN and the
> site installed a Cisco VPN Java applet. When it was finished installing
> and was running I noticed the processes where running as root and had
> installed into /opt. I had not given it my root password or any
> permission to do so. It did not install any RPM package. It was all
> driven by a Java applet.
>
> $ ps -efw #id 502 is me
> 502 4791 2668 0 11:16 ? 00:00:19
> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/../../bin/java
> sun.appl
> root 4923 1 0 11:16 ? 00:00:00 /opt/cisco/vpn/bin/vpnagentd
>
> Is this something "allowed" by some configuration setting in OpenJDK
> somewhere? I'd like to turn off this "feature" ASAP.
>
Such a thing should/would not be allowed. Applets run as normal users
and escalated privileges would imply a severe security violation in the
base os itself.
How did you install/run the applet?
Deepak
> Thanks,
> Michael
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
More information about the users
mailing list