commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexandr Nalbandyan <analband...@googlemail.com>
Subject Re: [daemon] Problems of downgrading user prevelegies.
Date Tue, 27 Apr 2010 13:11:53 GMT
Hi
Thank you  for the feedback actually the reason why we came to such
conclusion is following.
Here is snapshot from init method comment
"  perform all operations
     *   requiring <i>super-user</i> privileges in the underlying operating
     *   system.
".
>From this we came to conclusion that during execution of this process user
has
super-user privileges and it is still root user.
If this is wrong then what is the actual reason of failure specified in
email.
Actually  I have tried following I have looked at jsvc-unix.c file
and fine the method "linuxset_user_group" which is executed before jvm
initialization.
and changed the following part from
#################################
if (caps_set) {
        /* set capability to binding port 80 read conf */
        if (set_caps(CAPSMIN)!=0) {
            if (getuid()!= uid) {
                log_error("set_caps(CAPSMIN) failed");
                return(-1);
            }
            log_debug("set_caps(CAPSMIN) failed");
        }
    }
###################################
To
#################################
if (caps_set) {
        /* set capability to binding port 80 read conf */
        if (set_caps(CAPSMIN)!=0) {
            if (getuid()!= uid) {
                log_error("set_caps(CAPSALL) failed");
                return(-1);
            }
            log_debug("set_caps(CAPSALL) failed");
        }
    }
###################################

And it helps to fix the problem.
But this is not actually the preferred solution.
Can you please advise how to fix the problem correctly.

On Tue, Apr 27, 2010 at 5:58 PM, Mladen Turk <mturk@apache.org> wrote:

> On 04/27/2010 01:11 PM, Alexandr Nalbandyan wrote:
>
>> Hi Following is the problem we have faced when specifying "-user" option
>> in
>> jsvc.
>>
>> In the following code snipped in init method definition we have tried to
>> create file output stream.
>> "
>>     public final void init(final DaemonContext arg0) throws Exception {
>>         FileOutputStream fileOutputStream = new
>> FileOutputStream("logs/test.out");
>> "
>> But this code throws exception saying "Permission Denied".
>>
>> But if we remove -user  option it works.
>> According to the documentation init method should run  with "super user"
>> prevelages.
>>
>>
> Can you point to the documentation where is that stated, cause it's wrong,
> and needs to be fixed.
>
> init() is called after user downgrade.
> Basically the JVM cannot be forked, because threads cannot be
> forked, and would left JVM without GC thread.
>
>
> Regards
> --
> ^TM
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message