tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Brisson <cla...@renegat.net.INVALID>
Subject Re: Running sudo from a servlet
Date Thu, 23 May 2019 17:09:54 GMT
You are right about your security concerns. I feel obliged to state that 
my use-case is perfectly valid and secure, the tomcat instance runs in a 
VPN and the sudoers file is properly configured to only allow access to 
a single user and a single command.

Anyhow it's the kind of area where you better know what you're doing.

   Claude


On 23/05/2019 11:55, Olaf Kock wrote:
>
>> I'd seriously consider whether or not you want to actually do this.
>>
>> It might be better to write a tiny daemon which has elevated
>> privileges to perform whatever operation you want and have your web
>> application ping it to do some work, rather than making the whole
>> Tomcat process able to elevate its privileges.
>
> Seconding this. Running a web-facing daemon with the option of executing
> system commands as root is a recipe for disaster. Don't even think of
> going there.
>
> There might be rare occasions where there's a good reason for this
> architecture, but the keyword here is "rare". It'll need a *very* good
> reason. And "how do I enable sudo?" isn't one.
>
> You have been warned, and so has everyone else finding this thread in
> future with the intend of making the same architectural decision.
>
> On stackoverflow, this is called the x-y problem
> (https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem).
> I'd recommend reading a few of those answers and reconsider the
> question, to come up with the X instead of the Y.
>
>
> Olaf
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message