I noticed that one of my clients has tried to gain shell access to one of my main servers by using Runtime.exec(). Is there a way for me to block this using Java Security Manager?
Asked
Active
Viewed 1,911 times
0
-
while i think Java has Security Manager so that you grant/revoke permission to your client https://docs.oracle.com/javase/8/docs/api/java/lang/SecurityManager.html – CY5 Apr 05 '15 at 14:12
1 Answers
2
Yes there is. Process.start() uses SecurityManager.checkExec(cmd) to check if the operation is permitted. The javadoc for that method says:
"This method calls
checkPermissionwith theFilePermission(cmd, "execute")permission ifcmdis an absolute path, otherwise it callscheckPermissionwithFilePermission("<<ALL FILES>>", "execute")."
So you need to configure your security sandbox to block those permissions. You probably need to block a number of other things too.
This Q&A is a good starting point on how to set up a sandbox:
It includes a link to the Oracle documentation ... and it is important that you read and understand that.
Running other peoples' code on your server is potentially dangerous, and you need to understand how they could "hurt" you before you can protect against it. Bear in mind that you could be dealing with really smart people ... not just "script kiddies" probing known vulnerabilities.
