tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George S." <geor...@mhsoftware.com>
Subject Re: Running sudo from a servlet
Date Sat, 25 May 2019 16:44:29 GMT
A better way to do this would be to setup something like xinetd 
listening on a socket and use a connection to the socket to trigger the 
execution. You can write a configuration/parameters file in a location.

Just a point: when you use runtime.exec on Linux, it does a fork of the 
process. That DOUBLES your process space memory. IOW, if tomcat's 
running with 4GB of memory, when you do a runtime.exec, that's going to 
double your memory usage to 8GB while the process runs. If you're not 
planning for this, it can be a nasty shock.


On 5/21/2019 11:52 AM, Claude Brisson wrote:
> Hi all.
>
> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04). 
> Tomcat was installed by apt-get and runs as a service.
>
> If I open a shell as the tomcat8 user, I can launch a Java program 
> which successfully executes a sudo command in a sub-process.
>
> But from a Java servlet, the code fails with this error from the sudo 
> executable:
>
>     sudo: effective uid is not 0, is /usr/bin/sudo on a file system 
> with the 'nosuid' option set or an NFS file system without root 
> privileges?
>
> which means that somehow, the tomcat process was unable or unwilling 
> to honor the setuid flag of the sudo command.
>
> Is it a special security measure ?
>
> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service 
> packaging? In systemd config?
>
> And is there any configuration option to relax it?
>
> Thanks,
>
>   Claude
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-- 
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message