You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by jean-frederic clere <jf...@fujitsu-siemens.com> on 2002/02/25 12:42:41 UTC

[daemon] Threads and setuid on Linux

Hi,

I have noted a small problem when using the daemon on Linux.
The jsvc starts several threads when he is root but the Linux setuid only
applies on the current thread so the software ends into various threads
belonging to root and others to nobody. :-(

I have tried to solve the problem making the setuid before the loading the JVM
(java_init) but keeping some root capabilities till after the loading of the
service (java_load).

The idea is do the following (only with using linux):

setcapabilities via syscall
(CAP_NET_BIND_SERVICE+CAP_SETGID+CAP_SETUID+CAP_DAC_OVERRIDE+CAP_DAC_READ_SEARCH).
using prctl to be able to set them after the setuid/getid.
setuid and getid.
setcapabilities(CAP_NET_BIND_SERVICE+CAP_DAC_OVERRIDE+CAP_DAC_READ_SEARCH).
load JVM (java_init).
load the service (java_load).
setcapabilities to minimum (CAP_NET_BIND_SERVICE?).

Any comments?

Cheers

Jean-frederic

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: [daemon] Threads and setuid on Linux

Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.

Hi,

I have prepared a patch for it.
I have reduced the capabilities to CAP_NET_BIND_SERVICE+CAP_SETGID+CAP_SETUID,
CAP_NET_BIND_SERVICE and 0.
I was first try to run as nobody/nobody but that needs more tunning (for example
the jndi tries to open files it is not able to read (tomcat-users.xml)). My
first idea was to have the security done but the operating system as it is done
in httpd but that a bit paranoic in a JVM.

Any comments?

Cheers

Jean-frederic

"Clere, Jean-Frederic" wrote:
> 
> Hi,
> 
> I have noted a small problem when using the daemon on Linux.
> The jsvc starts several threads when he is root but the Linux setuid only
> applies on the current thread so the software ends into various threads
> belonging to root and others to nobody. :-(
> 
> I have tried to solve the problem making the setuid before the loading the JVM
> (java_init) but keeping some root capabilities till after the loading of the
> service (java_load).
> 
> The idea is do the following (only with using linux):
> 
> setcapabilities via syscall
> (CAP_NET_BIND_SERVICE+CAP_SETGID+CAP_SETUID+CAP_DAC_OVERRIDE+CAP_DAC_READ_SEARCH).
> using prctl to be able to set them after the setuid/getid.
> setuid and getid.
> setcapabilities(CAP_NET_BIND_SERVICE+CAP_DAC_OVERRIDE+CAP_DAC_READ_SEARCH).
> load JVM (java_init).
> load the service (java_load).
> setcapabilities to minimum (CAP_NET_BIND_SERVICE?).
> 
> Any comments?
> 
> Cheers
> 
> Jean-frederic
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>