Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: java-1.7.0-icedtea - IcedTea runtime and development environments https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253691 ------- Additional Comments From fitzsim@xxxxxxxxxx 2007-08-23 21:02 EST ------- (In reply to comment #15) > Is it sensible to drop java-rmi.cgi in cgi-bin considering that it's puprose is > to tunnel rmi to any host/port bypassing any local firewall? Here is what > http://java.sun.com/developer/onlineTraining/rmi/RMI.html says about it: > > "Additionally, using the java-rmi.cgi script exposes a fairly large security > loophole on your server machine, as now, the script can redirect any incoming > request to any port, completely bypassing your firewalling mechanism." > > IMHO it would be better to install it somewhere else, anyone that needs to use > it will have to modify it anyway to restrict to specific ports at the minimum so > it's more of an example than a usefull application. What about just restricting all ports in the default configuration? I put java-rmi.cgi in its own subpackage so that it is completely optional, and to isolate the cgibindir requirement. Other options would be to move the script to the demo subpackage or just not include it in the IcedTea packages. Is the java-rmi.cgi script actually deployed frequently, or is it just meant as a demo for system administrators? The comments seem to suggest that it's useful in practice and not just a demo. If it's actually deployed frequently, I'd like to keep the subpackage + cgibindir requirement + all ports locked down. This minimizes the fiddling needed to get the script working while still providing out-of-the-box security. On the other hand, if java-rmi.cgi is just a toy then it should go in the demo subpackage and we can drop the cgibindir requirement in favour of a README. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review