Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 68437 invoked from network); 1 Aug 2006 14:13:40 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Aug 2006 14:13:40 -0000 Received: (qmail 98333 invoked by uid 500); 1 Aug 2006 14:13:27 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 98306 invoked by uid 500); 1 Aug 2006 14:13:27 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 98295 invoked by uid 99); 1 Aug 2006 14:13:27 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Aug 2006 07:13:27 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [63.240.77.81] (HELO sccrmhc11.comcast.net) (63.240.77.81) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Aug 2006 07:13:26 -0700 Received: from [192.168.1.47] (c-69-243-36-80.hsd1.va.comcast.net[69.243.36.80]) by comcast.net (sccrmhc11) with ESMTP id <20060801141305011008j7mbe>; Tue, 1 Aug 2006 14:13:05 +0000 Message-ID: <44CF6233.3050707@christopherschultz.net> Date: Tue, 01 Aug 2006 10:16:19 -0400 From: Christopher Schultz User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Servlet that needs ROOT access References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1C34ADB050A670618E39178A" X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N --------------enig1C34ADB050A670618E39178A Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Everyone, >> The servlet application needs to do things like mkfs,=20 >> vgcfgrestore, vgchange,=20 >> mount and umount. Eek. From a webapp? > I'd use setuid scripts with very careful permissions: >=20 > - Write some shell scripts, one per action, to do what you need; >=20 > - Audit those scripts for possible security holes; I agree. In fact, I might even go farther and suggest that you go with more a batch-job-list configuration, where your webapp drops descriptions of the work to be done into a directory or a database or something. Then, have a cron job or something like that come along every so often and process the jobs. Firing off new processes from Java can get ugly (even though it really shouldn't be), and if you are putting user input into your command-line, you're just asking for trouble. With batch-style processing, you generally treat everything as data and not as a command (as one might be tempted do when firing off a process from within the JVM). If you need to do stuff like mkfs, mount, etc. I assume that this is an /intranet/-style webapp -- meaning that your users are relatively trusted when compared to an open web site. -chris --------------enig1C34ADB050A670618E39178A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEz2I09CaO5/Lv0PARAv7WAKCuyNZXt+acnMFoqRfHP5xiymE9SwCfeDMy tB+Fv+ATqNenm8pqvLBSgFI= =DdM5 -----END PGP SIGNATURE----- --------------enig1C34ADB050A670618E39178A--