Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] libsetuid.so

A gentle note that our documentation is in github and we love to accept pull requests against it!

https://github.com/jetty-project/jetty-documentation

cheers!
jesse

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx


On Tue, Mar 4, 2014 at 12:40 AM, Martin Edge <martin.edge@xxxxxxxxxxxx> wrote:

Joakim

As you were mentioning using setuid in an embedded environment is unusual. I can report that (providing you wait until you’ve started all of your servers etc and you don’t have apache installed on your desktop machine [I’ve been having fun!]), using System.load(libsetuid-linux-1.0.0.so) and setuid(1000) works like a charm!

A very easy way of reducing privileges.

 

Once again thanks for your pointers, they really helped!

-medge

 

 

 

 

 

From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx] On Behalf Of Martin Edge
Sent: Tuesday, 4 March 2014 16:17
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so

 

! Wrong package, should have paid more attention to the nm –D output (and realised the package name was important).

Thanks for your help though.

 

-medge

 

From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx] On Behalf Of Martin Edge
Sent: Tuesday, 4 March 2014 15:36
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so

 

Ok. Thanks for the links I used the tool chain one for my initial work. Obviously I am missing something, but I can’t see what it is.

 

 

Firstly overridden doStart() with:

 

    @Override

    public void doStart() throws Exception {

        super.doStart();

        String os = System.getProperty("os.name").toLowerCase();

        if (!os.contains("win")) { <-- IE we are not testing on our development machines.

            if (gid != 0) {

                SetUID.setgid(gid); // <-- Fails her

            }

            if (uid != 0) {

                SetUID.setuid(uid);

                Passwd pw = SetUID.getpwuid(uid);

                System.setProperty("user.name", pw.getPwName());

                System.setProperty("user.home", pw.getPwDir());

            }

        }

    }

 

I grabbed the source for setuid (etc) and cut setuid down to this (As we are running this on linux only):

 

package au.edu.satac.utilities.setuid;

 

import au.edu.satac.business.utilities.SATACLogger;

import au.edu.satac.business.utilities.SLogger;

import au.edu.satac.utilities.SATACWebConfig;

import java.io.File;

 

/**

* Class is for changing user and groupId, it can also be use to retrieve user

* information by using getpwuid(uid) or getpwnam(username) of both linux and

* unix systems

*/

public class SetUID {

 

    private static final SLogger logger = SATACLogger.getLogger(SetUID.class);

 

    public static final String FILENAME = "libsetuid";

 

    public static final int OK = 0;

    public static final int ERROR = -1;

 

    public static native int setumask(int mask);

    public static native int setuid(int uid);

    public static native int setgid(int gid);

    public static native Passwd getpwnam(String name) throws SecurityException;

    public static native Passwd getpwuid(int uid) throws SecurityException;

    public static native Group getgrnam(String name) throws SecurityException;

    public static native Group getgrgid(int gid) throws SecurityException;

    public static native RLimit getrlimitnofiles();

    public static native int setrlimitnofiles(RLimit rlimit);

 

    private static void loadLibrary() {

        String setuidLib = “/usr/local/satacweb/lib/libsetuid-linux-1.0.0.so”;

        // String setuidLib = SATACWebConfig.getConfig().getSetUIDLib();  // Ready to some sort of dynamic mapping

        if(setuidLib!=null) {

            File f = new File(setuidLib);

            if(f.exists()) {

                System.load(setuidLib);

                // Runtime.getRunTime().load(setuidLib);

            } else {

                logger.fatal(setuidLib + " not found");

            }

       } else {

            logger.info("SetUID lib isn't set");

        }

    }

 

    static {

        loadLibrary();

    }

 

}

 

 

I’ve cut the whole thing down even more into a test case:

 

package au.edu.satac;

 

import au.edu.satac.utilities.setuid.SetUID;

 

/**

*

* @author satmje

*/

public class MainClass {

    public static void main(String[] args) {

        SetUID.setuid(1001);

    }

}

 

And (the  supporting classes are unchanged)

 

package au.edu.satac.utilities.setuid;

 

public class SetUID {

 

    public static final String FILENAME = "libsetuid";

 

    public static final int OK = 0;

    public static final int ERROR = -1;

 

    public static native int setumask(int mask);

    public static native int setuid(int uid);

    public static native int setgid(int gid);

    public static native Passwd getpwnam(String name) throws SecurityException;

    public static native Passwd getpwuid(int uid) throws SecurityException;

    public static native Group getgrnam(String name) throws SecurityException;

    public static native Group getgrgid(int gid) throws SecurityException;

    public static native RLimit getrlimitnofiles();

    public static native int setrlimitnofiles(RLimit rlimit);

 

    private static void loadLibrary() {

       System.load("/usr/local/satacweb/lib/libsetuid-linux-1.0.0.so");

       // Runtime.getRuntime().load("/usr/local/satacweb/lib/libsetuid-linux-1.0.0.so");

    }

   

    static {

        loadLibrary();

    }

 

}

 

 

From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx] On Behalf Of Joakim Erdfelt
Sent: Tuesday, 4 March 2014 14:58
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so

 

ok, let me try this again...

 

HOW are you attempting/doing this? details please.

Code snippets?  

Project structure?

Installed structure?

All of the various relevant paths (class/lib/security/os/etc)?

Environment details at runtime?

Java details?

Your artifacts details?

Your dependency details?

etc...

 


--

Joakim Erdfelt <joakim@xxxxxxxxxxx>

Expert advice, services and support from from the Jetty & CometD experts

 

On Mon, Mar 3, 2014 at 8:02 PM, Martin Edge <martin.edge@xxxxxxxxxxxx> wrote:

Open port 80 as root and them su to a lower privileged user.

 

From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx] On Behalf Of Joakim Erdfelt
Sent: Tuesday, 4 March 2014 13:27
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so

 

Can you provide more details on what you are trying to do?

As mixing libsetuid.so and jetty embedded would be a first.


--

Joakim Erdfelt <joakim@xxxxxxxxxxx>

Expert advice, services and support from from the Jetty & CometD experts

 

On Mon, Mar 3, 2014 at 6:24 PM, Martin Edge <martin.edge@xxxxxxxxxxxx> wrote:

Having trouble running this in an embedded environment.  It is finding the file, but reporting “UnsatisfiedLinkError”

Using jetty 9.1.2 on Linux.

 

Has anyone got this working, or does everyone use redirects?

 

 

Medge

Database and Applications Administrator

_______________________

 

SATAC_Signature

 

Telephone (08) 8224 4045

Facsimile (08) 8224 4099  

 

www.satac.edu.au 

 

 

 

 

This email message is intended only for the addressee(s) and 

contains information that may be confidential and/or copyright.

If you are not the intended recipient please notify the sender

by reply email and immediately delete this email. Use, disclosure 

or reproduction of this email by anyone other than the intended 

recipient(s) is strictly prohibited. No representation is made that 

this email or any attachments are free of viruses. Virus scanning 

is recommended and is the responsibility of the recipient.

 


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

 


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

 


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users



Back to the top