tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Brisson <>
Subject Re: Running sudo from a servlet
Date Thu, 23 May 2019 17:09:54 GMT
You are right about your security concerns. I feel obliged to state that 
my use-case is perfectly valid and secure, the tomcat instance runs in a 
VPN and the sudoers file is properly configured to only allow access to 
a single user and a single command.

Anyhow it's the kind of area where you better know what you're doing.


On 23/05/2019 11:55, Olaf Kock wrote:
>> I'd seriously consider whether or not you want to actually do this.
>> It might be better to write a tiny daemon which has elevated
>> privileges to perform whatever operation you want and have your web
>> application ping it to do some work, rather than making the whole
>> Tomcat process able to elevate its privileges.
> Seconding this. Running a web-facing daemon with the option of executing
> system commands as root is a recipe for disaster. Don't even think of
> going there.
> There might be rare occasions where there's a good reason for this
> architecture, but the keyword here is "rare". It'll need a *very* good
> reason. And "how do I enable sudo?" isn't one.
> You have been warned, and so has everyone else finding this thread in
> future with the intend of making the same architectural decision.
> On stackoverflow, this is called the x-y problem
> (
> I'd recommend reading a few of those answers and reconsider the
> question, to come up with the X instead of the Y.
> Olaf
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message