commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject Re: [daemon] Problems of downgrading user prevelegies.
Date Tue, 27 Apr 2010 15:29:53 GMT
On 04/27/2010 03:11 PM, Alexandr Nalbandyan wrote:
> Hi
> Thank you  for the feedback actually the reason why we came to such
> conclusion is following.
> Here is snapshot from init method comment
> "  perform all operations
>       *   requiring<i>super-user</i>  privileges in the underlying operating
>       *   system.
> ".
>> From this we came to conclusion that during execution of this process user
> has
> super-user privileges and it is still root user.

Nope. The javadoc is somehow miss-leading here.
JVM is initialized in child process after user downgrade.


> If this is wrong then what is the actual reason of failure specified in
> email.

Reason is security.
You start the daemon as root and downgrade to the regular user.
If that user cannot create or access the file, it'll fail.

>
> And it helps to fix the problem.
> But this is not actually the preferred solution.
> Can you please advise how to fix the problem correctly.
>

Make sure you don't mix the access to logs/test.out between
root and downgraded user.
If you start the jsvc as a root it'll be the owner of that file.
next invocation with -user will always fail.


Regards
-- 
^TM

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message