On 10/27/2010 01:14 PM, Athmane Madjoudj wrote:
On 10/27/2010 09:07 PM, Deepak Bhole wrote:
> * Michael Cronenworth<mike(a)cchtml.com> [2010-10-27 16:00]:
>> Fedora 13 x86_64 with OpenJDK (not Sun) installed.
>>
>> I was required to login to a web site today to configure a VPN and the
>> site installed a Cisco VPN Java applet. When it was finished installing
>> and was running I noticed the processes where running as root and had
>> installed into /opt. I had not given it my root password or any
>> permission to do so. It did not install any RPM package. It was all
>> driven by a Java applet.
>>
>> $ ps -efw #id 502 is me
>> 502 4791 2668 0 11:16 ? 00:00:19
>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/../../bin/java
>> sun.appl
>> root 4923 1 0 11:16 ? 00:00:00 /opt/cisco/vpn/bin/vpnagentd
>>
>> Is this something "allowed" by some configuration setting in OpenJDK
>> somewhere? I'd like to turn off this "feature" ASAP.
>>
> Such a thing should/would not be allowed. Applets run as normal users
> and escalated privileges would imply a severe security violation in the
> base os itself.
>
> How did you install/run the applet?
>
> Deepak
>
I have tried the following applet:
http://www.java.com/en/download/help/testvm.xml
ps aux | grep java
shows only me (not root) as user .
isn't related to "/opt/cisco/vpn/bin/vpnagentd" which runs as root ?
But that was not Deepak's question.
He is asking how did you get the applet to run in the first place.
You are stating in the original post:
> I was required to login to a web site today to configure a VPN
and the
> site installed a Cisco VPN Java applet.
But we are missing the details of what
you actually did to cause this
root-privileged applet to be installed and then what you did to agree
to it's running. This is crucial information.