COMMAND

	IBM Websphere reveals system root password (local)

SYSTEMS AFFECTED

	 IBM WebSphere 3.0.* on AIX, LINUX, SUN

	 IBM WebSphere 3.5.* on AIX, LINUX, SUN

	

PROBLEM

	Heikki Tunkelo posted :
	

	On  default  installation  WebSphere  installs  itself   to   run   with
	root-identity, and stores root password  as  a  clear  text  to  a  file
	$WASROOT/properties/sas.server.props. The file has permissions 600,  and
	therefore other users on system cannot access it.
	

	The problem is that by  default  all  java-code  at  WebSphere  (jsp\'s,
	Servlets etc.) are running with root-identity, therefore able to  access
	all files on servers filesystem readable by root.
	

	It is possible  for  normal  user  (who  has  access  to  the  system)to
	construct a JSP file which reads the content of  sas.server.props,  copy
	it in approriate directory  and  access  the  jsp  through  web-browser.
	Thereby getting access to root password.
	

	It might  be  also  possible  to  construct  a  JSP  file  that  creates
	shell-scripts   to   server   filesystem   and   executes   them    with
	root-identity.

SOLUTION

	a) Change websphere to run with non root-identity  (This  is  preferred)
	For Sun solaris:
	

	http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677

	

	For Generic Unix platform
	

	http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677

	http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html

	

	b) Create application servers on non-root identity (do this only if  you
	cannot take the (a) step)
	 

	http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0

	606a01.html