Mercurial > hg > release > thermostat-1.0
view distribution/scripts/thermostat-agent-proxy @ 1415:adb678c592f5
Remove RMI-based agent-proxy mechanism.
It was discovered that, in certain configurations, the Thermostat agent
disclosed JMX management URLs of all local Java virtual machines to any
local user. A local, unprivileged user could use this flaw to escalate
their privileges on the system. (CVE-2014-8120)
More information will be available at:
http://cve.mitre.org/cgi-bin/cvename.gci?name=CVE=2014-8120
author | Elliott Baron <ebaron@redhat.com> |
---|---|
date | Tue, 16 Dec 2014 11:54:58 -0700 |
parents | a0592d702416 |
children |
line wrap: on
line source
#!/bin/bash # # Copyright 2012-2014 Red Hat, Inc. # # This file is part of Thermostat. # # Thermostat is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published # by the Free Software Foundation; either version 2, or (at your # option) any later version. # # Thermostat is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Thermostat; see the file COPYING. If not see # <http://www.gnu.org/licenses/>. # # Linking this code with other modules is making a combined work # based on this code. Thus, the terms and conditions of the GNU # General Public License cover the whole combination. # # As a special exception, the copyright holders of this code give # you permission to link this code with independent modules to # produce an executable, regardless of the license terms of these # independent modules, and to copy and distribute the resulting # executable under terms of your choice, provided that you also # meet, for each linked independent module, the terms and conditions # of the license of that module. An independent module is a module # which is not derived from or based on this code. If you modify # this code, you may extend this exception to your version of the # library, but you are not obligated to do so. If you do not wish # to do so, delete this exception statement from your version. # ##################################################################### # # Some necessary variables. JAVA_DIR="@java.dir@" JAVA="@java.home@/bin/java" if [ "$#" -lt 2 ]; then echo "usage: $0 <pidOfTargetJvm> <userNameOfJvmOwner>" >&2 fi if [ x"$THERMOSTAT_INSTALL_DIR" = x ] ; then THERMOSTAT_INSTALL_DIR="@thermostat.home@" fi # Not always are installation directory and thermostat home one and # the same location. if [ x"$THERMOSTAT_HOME" = x ] ; then THERMOSTAT_HOME=${THERMOSTAT_INSTALL_DIR} fi THERMOSTAT_LIBS="${THERMOSTAT_HOME}/libs" # Need tools from the JVM TOOLS_JAR="@java.home@/../lib/tools.jar" # JARs necessary for the server SERVICE_CLASSPATH="${THERMOSTAT_LIBS}/thermostat-common-core-@project.version@.jar" SERVICE_CLASSPATH="${SERVICE_CLASSPATH}:${THERMOSTAT_LIBS}/thermostat-shared-config-@project.version@.jar" SERVICE_CLASSPATH="${SERVICE_CLASSPATH}:${THERMOSTAT_LIBS}/thermostat-agent-proxy-server-@project.version@.jar" SERVICE_CLASSPATH="${TOOLS_JAR}:${SERVICE_CLASSPATH}" AGENT_PROXY_CLASS="com.redhat.thermostat.agent.proxy.server.AgentProxy" # Set this to remote debug if [ x"$THERMOSTAT_DEBUG" != x ] ; then DEBUG_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,address=1082" fi # Start server # Drop permissions, if root if [ "$(/bin/id -u)" -eq 0 ]; then /bin/su "$2" -c "${JAVA} -cp ${SERVICE_CLASSPATH} ${DEBUG_OPTS} ${AGENT_PROXY_CLASS} $1" else ${JAVA} -cp ${SERVICE_CLASSPATH} ${DEBUG_OPTS} ${AGENT_PROXY_CLASS} $1 fi