Return-Path: Delivered-To: apmail-commons-user-archive@www.apache.org Received: (qmail 28241 invoked from network); 27 Apr 2010 13:12:22 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 27 Apr 2010 13:12:22 -0000 Received: (qmail 78498 invoked by uid 500); 27 Apr 2010 13:12:21 -0000 Delivered-To: apmail-commons-user-archive@commons.apache.org Received: (qmail 78428 invoked by uid 500); 27 Apr 2010 13:12:21 -0000 Mailing-List: contact user-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Users List" Delivered-To: mailing list user@commons.apache.org Received: (qmail 78420 invoked by uid 99); 27 Apr 2010 13:12:21 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Apr 2010 13:12:21 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of analbandyan@googlemail.com designates 209.85.218.210 as permitted sender) Received: from [209.85.218.210] (HELO mail-bw0-f210.google.com) (209.85.218.210) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Apr 2010 13:12:14 +0000 Received: by bwz2 with SMTP id 2so8364875bwz.10 for ; Tue, 27 Apr 2010 06:11:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=UYPfgM0I9C05SLvPH+In+SRgeET5QJQ/NnQVM+A18Tw=; b=dlsbYLyzGUEvoB7se9AkKaEozxn67ro/QZU5oKLvoqXV3G0HX7tZHsEdBvQKYsCuCT kuVL8FNoNm7+ETZISi2dsxkJxlAOju0fMmGgLZaurLuQHVsf+ySILqSXQZFLi023+gys gWaW4Dh0ULUeSQk48dCt5cKGCG/F8dK7ZDOBU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=SEoSIT3jnDRl8a8YNTqosO1VpVImqXAmMT37muZljkV0o124txHMixn3shcYGuDPAk tT3cLkmW/QFOF0wKcStmOwgxGPq5ZQ83qCrdF36RSs+ly33PJIAqZ1RcG7/8y8les1v2 ZtUW5n0Sk39cFtZBA3p9DViabNUz7IWDSk9nA= MIME-Version: 1.0 Received: by 10.239.171.135 with SMTP id w7mr575186hbe.56.1272373913868; Tue, 27 Apr 2010 06:11:53 -0700 (PDT) Received: by 10.239.182.1 with HTTP; Tue, 27 Apr 2010 06:11:53 -0700 (PDT) In-Reply-To: <4BD6DF64.4030006@apache.org> References: <4BD6DF64.4030006@apache.org> Date: Tue, 27 Apr 2010 18:11:53 +0500 Message-ID: Subject: Re: [daemon] Problems of downgrading user prevelegies. From: Alexandr Nalbandyan To: Commons Users List Content-Type: multipart/alternative; boundary=001485f63120285bcb048537a387 X-Virus-Checked: Checked by ClamAV on apache.org --001485f63120285bcb048537a387 Content-Type: text/plain; charset=ISO-8859-1 Hi Thank you for the feedback actually the reason why we came to such conclusion is following. Here is snapshot from init method comment " perform all operations * requiring super-user privileges in the underlying operating * system. ". >From this we came to conclusion that during execution of this process user has super-user privileges and it is still root user. If this is wrong then what is the actual reason of failure specified in email. Actually I have tried following I have looked at jsvc-unix.c file and fine the method "linuxset_user_group" which is executed before jvm initialization. and changed the following part from ################################# if (caps_set) { /* set capability to binding port 80 read conf */ if (set_caps(CAPSMIN)!=0) { if (getuid()!= uid) { log_error("set_caps(CAPSMIN) failed"); return(-1); } log_debug("set_caps(CAPSMIN) failed"); } } ################################### To ################################# if (caps_set) { /* set capability to binding port 80 read conf */ if (set_caps(CAPSMIN)!=0) { if (getuid()!= uid) { log_error("set_caps(CAPSALL) failed"); return(-1); } log_debug("set_caps(CAPSALL) failed"); } } ################################### And it helps to fix the problem. But this is not actually the preferred solution. Can you please advise how to fix the problem correctly. On Tue, Apr 27, 2010 at 5:58 PM, Mladen Turk wrote: > On 04/27/2010 01:11 PM, Alexandr Nalbandyan wrote: > >> Hi Following is the problem we have faced when specifying "-user" option >> in >> jsvc. >> >> In the following code snipped in init method definition we have tried to >> create file output stream. >> " >> public final void init(final DaemonContext arg0) throws Exception { >> FileOutputStream fileOutputStream = new >> FileOutputStream("logs/test.out"); >> " >> But this code throws exception saying "Permission Denied". >> >> But if we remove -user option it works. >> According to the documentation init method should run with "super user" >> prevelages. >> >> > Can you point to the documentation where is that stated, cause it's wrong, > and needs to be fixed. > > init() is called after user downgrade. > Basically the JVM cannot be forked, because threads cannot be > forked, and would left JVM without GC thread. > > > Regards > -- > ^TM > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@commons.apache.org > For additional commands, e-mail: user-help@commons.apache.org > > --001485f63120285bcb048537a387--