Re: weblily: security risk

[Han-Wen Nienhuys]

I have poked around a bit, and could not find obvious holes, but you
are exposing the unix system, so it is a bit scary.  For example, if
there are local exploits in the kernel, this system makes it a remote
explote for weblily,and the fact that uname is available (telling me
you are on 2.6.31.ec2.301) makes this easier

Also, the scheme system is complete, so your scripts may still do
other nasty things:

- start a webservers (perhaps not useful if your system is behind a firewall)
- do a fork-bomb  (through the primitive-fork function), crashing your machine
- delete files under /usr/share/fonts, stopping weblily from working
- start a program that connects to other machines from weblily

I assume that this machine is not dedicated for weblily, so the last
point means that the firewall for inbound connections is also pierced.

For standard malware purposes the scheme route is too weird for
automated attacks, but this gives attackers so much to work with that
the tiniest weakness will turn into a remote compromise.  Also, the
opportunity for vandalism is big; while taking down your server may
not leak your bank credentials, it will cause you headaches.

In short, I dont think this is a very good idea - I recommend using
--safe in addition to the jail, also because it will help us improve
the --safe mode, which is underused currently.


On Thu, Mar 11, 2010 at 9:17 AM, Weblily <address@hidden> wrote:
> Hi Graham,
>
> thank your for sharing your thoughts about weblily.net. Of cource, security
> is a concern I have on my mind and I'd be happy to get into discussion with
> you and other knowledgable people on security issues. And I will do my very
> best notto fall prey to all those evil people out there, granted.Though I
> must confess, the tonality of your first e-mail did not really sound very
> inviting. But let's forget about that.
>
> Please take into consideration: I am not a specialist on computer security
> and rather (sorry for that) only an enthusiast working with some fervour on
> his little project. But I'll happily listen to any good advice.
>
> I would really like to know about security problems on weblily.net and would
> definitely work on overcoming them with the limited means I have.
>
> To give some facts:
> * weblily.net uses Liferay als portal software
> * the editor runs as Liferay Web Content on the page
> http://weblily.net/web/guest/runlilypond
> * the editor is a Google GWT application, i.e. JavaScript using GWT RPC to
> communicate with a java servlet hosted on the same Tomcat Liferay is running
> on
> * the servlet runs as user tomcat
> * LilyPond is called from the java servlet using the --jail=lily,lily,...
> option, i.e. runs as user lily
> * Hopefully the user lily has write permission only for the
> /homel/lily/scores/ and the /tmp directory in the jail
> * /home/lily/scores is visible as http://weblily.net/app/scores
> * /tmp should not be visible from the outside at all, but who knows?
> * other paths, like the permalink and template directories are not visible
> within the jail
>
> A problem I do have are crashes and infinite loops of LilyPond. After 5 such
> events you will get a "Server overloaded" message and it will take about 30
> seconds before LilyPond will be running again. Of course, if too many people
> are working simultaneously on weblily.net this will result in the very same
> message.
>
> Another message you might occasionally see is "Engraver error", this is a
> nice way of saying: "Servlet crashed" .
>
> You, Jan and Han-Wen are invited to play around with weblily.net and to
> explore potential weaknesses as long as you will inform me as the  first
> person about problems you see and as logn as you will give me a chance of
> fixing it before you go public. And of course, your advice on how these
> problmes might be resolved is always welcome.
>
> In the hope of providing a useful service to the LilyPond community,
>
> Johannes
>
> PS: I am currently preparing an article about weblily.net for the LilyPond
> Report. Maybe this can be a starting point for discussing ideas about how
> weblily.net might become a useful tool for the LilyPond community.
>
> Am 11.03.2010 02:07, schrieb Graham Percival:
>>
>> I apologize for this email; I jumped to a false conclusion and
>> made a baseless accusation.  I now have no reason to believe that
>> weblily poses a risk.
>>
>> I'm sorry.
>>
>> - Graham Percival
>>
>>
>> On Wed, Mar 10, 2010 at 08:21:24PM +0000, Graham Percival wrote:
>>
>>>
>>> Mr. Weblily,
>>>
>>> I like your enthusiasm with your weblily project, but for Mao's
>>> sake please learn something about computer security.  The current
>>> website is completely insecure.
>>>
>>> This is not a theoretical concern.  It would take me approximately
>>> two minutes to delete everything in your /home/lily/ directory --
>>> not just material in /home/lily/scores/.
>>>
>>>
>>> I wouldn't do this, of course -- but if a non-expert like me could
>>> do this so quickly, I'm certain that an experienced and malicious
>>> hacker could do far worse.  Such as taking over your machine and
>>> using it to attack other websites, distributing child porn, or
>>> whatever.
>>>
>>> If you want to continue to run your project without any regard for
>>> security, that's your business, but I want it understood that
>>> YOU HAVE COMPLETELY DISREGARDED ALL COMMON SENSE AND HAVE NOT READ
>>> THE MATERIAL ABOUT SECURITY IN OUR DOCUMENTATION.  YOU RUN
>>> LILYPOND IN THIS FASHION COMPLETELY AT YOUR OWN RISK, AND IF THE
>>> GERMAN EQUIVALENT OF THE FBI COMES KNOCKING ON YOUR DOOR ASKING
>>> WHY YOU ARE DISTRIBUTING RIPS OF HOLLYWOOD MOVIES OR PIRATED
>>> COMMERCIAL SOFTWARE, YOU CANNOT BLAME LILYPOND.
>>>
>>> The internet is not a playground.  If you're going to hand
>>> complete control over your server to other people, you might not
>>> like the consequences.
>>>
>>> - Graham Percival
>>>
>
>
>
> _______________________________________________
> lilypond-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/lilypond-devel
>



-- 
Han-Wen Nienhuys - address@hidden - http://www.xs4all.nl/~hanwen