commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis McLeskey <t...@mac.com>
Subject permissions downgrading in commons-daemon jsvc
Date Fri, 15 Dec 2006 20:37:19 GMT
Hi,

The child() function in jsvc-unix.c does not seem to behave consistently across platforms:

- on Linux, the capabilities and uid are set (in linuxset_user_group()) BEFORE java_init()
and java_load() are called
- on other platforms, set_user_group() is called AFTER java_init() and java_load()

I see that the logic has worked that way since jsvc came over from Tomcat. A comment in jsvc-unix.c
says that "setuid()/setgid() only apply the current thread so we must do it now", but I don't
understand that.

Does anyone remember the rationale for this inconsistency? Does it still need to work that
way?

My specific problem is that, in my Daemon.init() method, I'm trying to read files that are
owned and readable only by the user invoking jsvc (root, in my case), but it can't read those
files after linuxset_user_group() is called. (One workaround would be to add CAP_DAC_OVERRIDE
to CAPS and CAPSMIN.)

Thanks,
Travis


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message