Re: [OT] Running sudo from a servlet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 5/25/19 12:44, George S. wrote: > A better way to do this would be to setup something like xinetd > listening on a socket and use a connection to the socket to trigger > the execution. You can write a configuration/parameters file in a > location. > > Just a point: when you use runtime.exec on Linux, it does a fork of > the process. That DOUBLES your process space memory. IOW, if > tomcat's running with 4GB of memory, when you do a runtime.exec, > that's going to double your memory usage to 8GB while the process > runs. If you're not planning for this, it can be a nasty shock. On most modern OSs, this does not actually happen. The kernel performs a process-clone during the fork() but shares the memory between the two processes. An immediate exec() in the child process discards almost the entire process memory and so no real work is actually done. This optimization was done long ago since nearly every fork() call is immediately followed by exec() and so actually duplicating the whole process's memory is a waste. The OS usually implements copy-on-write (CoW) process-memory semantics such that child processes that actually do not call exec() can benefit from that same optimization and not interfere with the parent process. Of course, this reduces main-memory usage as well in those cases. So I'll bet if you profile a Runtime.exec() call, you'll find that the OS does not actually allocate and duplicate a multi-gigabyte heap into a child process which ends up executing a "ping" command or whatever. - -chris > On 5/21/2019 11:52 AM, Claude Brisson wrote: >> Hi all. >> >> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu >> 19.04). Tomcat was installed by apt-get and runs as a service. >> >> If I open a shell as the tomcat8 user, I can launch a Java >> program which successfully executes a sudo command in a >> sub-process. >> >> But from a Java servlet, the code fails with this error from the >> sudo executable: >> >> sudo: effective uid is not 0, is /usr/bin/sudo on a file system >> with the 'nosuid' option set or an NFS file system without root >> privileges? >> >> which means that somehow, the tomcat process was unable or >> unwilling to honor the setuid flag of the sudo command. >> >> Is it a special security measure ? >> >> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 >> service packaging? In systemd config? >> >> And is there any configuration option to relax it? >> >> Thanks, >> >> Claude >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzqj3sACgkQHPApP6U8 pFjh/A//ZLLHhVjqgSCiV8heOlp0wslfqpfhwVhAXXiEulXw67UUsBvSNoYkz/OG UmrR3nVez5y8Xsc8Ed2ADGyfLRB8ZWE4ooNVNqcf3l8KYuNB4WAshAUnK4CJb//c u3IuOqNMslr6Ca22TF3GEq1GY+/A7FPECotkIHxs9SKeqODxZ3MJsJOi0aKtBKBO aeUbs5bOrg371hddRdvOi3wRc2+zGv/iYgfYMllVZK5ZGQb/f+VH+pUG+mUIpX9U VdZyiPD4cE2eegW9EzKwQN8054o4dosUWZVjo3xuxyO41wQUyCV74di6bdMqQqIw KbSx1IWH03zz8vwwIxVVDGcoTxBHVcEncV1F84NmZahWLCb61XRU72c3y8XZcLQJ nWgOrp6Ctb31JkPBuSdkkYFO4f7jnRjbPT3aFJe8gwQcy23mpG0r70DsRuzxe2O3 uATmKHtW7r7xsqO6ObsxYeTh2fiB8bSxxtoUcgfn9liNSm5CFI+Qw4oEX/KGUjdA uu1KN7pqRmEXLlqhyf1+o4hMkDe3UNR//uFNYttGQ7AIYDJ15uG8GzTyYtAw8ycd pITCbTiU0s5IZB4n9UnrNYoY4r9EoMddUqn1T2q57jYzMUUzF3IwUjETTScqgHn3 klr/zk7++tII/ae56DS5Ol2Lb4eUL/pUJwogA9a0ZAwt3RClmnI= =o3Eq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running sudo from a servlet
A better way to do this would be to setup something like xinetd listening on a socket and use a connection to the socket to trigger the execution. You can write a configuration/parameters file in a location. Just a point: when you use runtime.exec on Linux, it does a fork of the process. That DOUBLES your process space memory. IOW, if tomcat's running with 4GB of memory, when you do a runtime.exec, that's going to double your memory usage to 8GB while the process runs. If you're not planning for this, it can be a nasty shock. On 5/21/2019 11:52 AM, Claude Brisson wrote: Hi all. I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04). Tomcat was installed by apt-get and runs as a service. If I open a shell as the tomcat8 user, I can launch a Java program which successfully executes a sudo command in a sub-process. But from a Java servlet, the code fails with this error from the sudo executable: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? which means that somehow, the tomcat process was unable or unwilling to honor the setuid flag of the sudo command. Is it a special security measure ? If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service packaging? In systemd config? And is there any configuration option to relax it? Thanks, Claude - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Running sudo from a servlet
You are right about your security concerns. I feel obliged to state that my use-case is perfectly valid and secure, the tomcat instance runs in a VPN and the sudoers file is properly configured to only allow access to a single user and a single command. Anyhow it's the kind of area where you better know what you're doing. Claude On 23/05/2019 11:55, Olaf Kock wrote: I'd seriously consider whether or not you want to actually do this. It might be better to write a tiny daemon which has elevated privileges to perform whatever operation you want and have your web application ping it to do some work, rather than making the whole Tomcat process able to elevate its privileges. Seconding this. Running a web-facing daemon with the option of executing system commands as root is a recipe for disaster. Don't even think of going there. There might be rare occasions where there's a good reason for this architecture, but the keyword here is "rare". It'll need a *very* good reason. And "how do I enable sudo?" isn't one. You have been warned, and so has everyone else finding this thread in future with the intend of making the same architectural decision. On stackoverflow, this is called the x-y problem (https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). I'd recommend reading a few of those answers and reconsider the question, to come up with the X instead of the Y. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running sudo from a servlet
On 22.05.19 18:31, Christopher Schultz wrote: > Claude, > > On 5/21/19 14:20, Claude Brisson wrote: > > (responding to myself) > > > The culprit is the option > > > NoNewPrivileges=true > > > in the file > > /etc/systemd/system/multi-user.target.wants/tomcat8.service > > > When changed to false, one must also call 'systemctl daemon-reload' > > and after a tomcat restart, the problem is solved. > > I'd seriously consider whether or not you want to actually do this. > > It might be better to write a tiny daemon which has elevated > privileges to perform whatever operation you want and have your web > application ping it to do some work, rather than making the whole > Tomcat process able to elevate its privileges. Seconding this. Running a web-facing daemon with the option of executing system commands as root is a recipe for disaster. Don't even think of going there. There might be rare occasions where there's a good reason for this architecture, but the keyword here is "rare". It'll need a *very* good reason. And "how do I enable sudo?" isn't one. You have been warned, and so has everyone else finding this thread in future with the intend of making the same architectural decision. On stackoverflow, this is called the x-y problem (https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). I'd recommend reading a few of those answers and reconsider the question, to come up with the X instead of the Y. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running sudo from a servlet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Claude, On 5/21/19 14:20, Claude Brisson wrote: > (responding to myself) > > The culprit is the option > > NoNewPrivileges=true > > in the file > /etc/systemd/system/multi-user.target.wants/tomcat8.service > > When changed to false, one must also call 'systemctl daemon-reload' > and after a tomcat restart, the problem is solved. I'd seriously consider whether or not you want to actually do this. It might be better to write a tiny daemon which has elevated privileges to perform whatever operation you want and have your web application ping it to do some work, rather than making the whole Tomcat process able to elevate its privileges. At least lock-down the sudo command so that only that exact necessary command is possible. - -chris > On 21/05/2019 19:52, Claude Brisson wrote: >> Hi all. >> >> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu >> 19.04). Tomcat was installed by apt-get and runs as a service. >> >> If I open a shell as the tomcat8 user, I can launch a Java >> program which successfully executes a sudo command in a >> sub-process. >> >> But from a Java servlet, the code fails with this error from the >> sudo executable: >> >> sudo: effective uid is not 0, is /usr/bin/sudo on a file system >> with the 'nosuid' option set or an NFS file system without root >> privileges? >> >> which means that somehow, the tomcat process was unable or >> unwilling to honor the setuid flag of the sudo command. >> >> Is it a special security measure ? >> >> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 >> service packaging? In systemd config? >> >> And is there any configuration option to relax it? >> >> Thanks, >> >> Claude >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzleWwACgkQHPApP6U8 pFihng/+IdTMdCmN1Bk8gA8BvBma9/IF5/wxwlSOnfMf63fxoMuwArrhCJ8LdqLD M5S1A94d9Cj+kjwRHCU0yX18j9ZcnEfB6Lvu5GTsnNEyWSeLT4xbxF10DlSB8qCs qjUPJFoG+6DQNvExZwBOAMkiwFq5AB8gsQjUxTnrqly622n+3/6BB/jMEAFbH5U8 2BbUu2aMpbjJODHQ15uNdAZrEX0xGqA5vGLOgsVmGizRGFZaFOnvP0rzh2sJdGUA uvJzOxMScZV9dl7xVd9eQ8lOAffpAX2xZWESFEikpPjQJ3K/7CVHu0Hxrxzdkvw/ NDEVxSw05k2DeNSfeoqKGv7jU8SWhjMchJkB8FRArSJnyYy4YT+Bd1BwSO82FG1A HOGXxgVSCyWHZn7aQySC4DN0ywHedSIBP4sjrjUwwrIgHEDRcSLf8xr/pR5GsZLy b8grRHHjAryQbEzL5F5398B3AfBxK51jyoT/nIeFqvyIcCv5fF/galDOpNzc/kGK rAFiB6t4RKQJhkGuuos3S7mE7/piL1d04N8jHlChBpYagYTm+Raf8eAPMBsH1PnD FIJEz2YsKtA1SDlJmD5Yrv9IGhLPNkt/VIm+KtEgwEjdHWFKpclVJKiYVXVXiGyY 2Y9Att8O2rW+1pk3kHTszHwGXJCba0hF3Jc9ay/V1dOePPx8h9Y= =1994 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running sudo from a servlet
(responding to myself) The culprit is the option NoNewPrivileges=true in the file /etc/systemd/system/multi-user.target.wants/tomcat8.service When changed to false, one must also call 'systemctl daemon-reload' and after a tomcat restart, the problem is solved. Claude On 21/05/2019 19:52, Claude Brisson wrote: Hi all. I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04). Tomcat was installed by apt-get and runs as a service. If I open a shell as the tomcat8 user, I can launch a Java program which successfully executes a sudo command in a sub-process. But from a Java servlet, the code fails with this error from the sudo executable: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? which means that somehow, the tomcat process was unable or unwilling to honor the setuid flag of the sudo command. Is it a special security measure ? If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service packaging? In systemd config? And is there any configuration option to relax it? Thanks, Claude - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Running sudo from a servlet
Hi all. I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04). Tomcat was installed by apt-get and runs as a service. If I open a shell as the tomcat8 user, I can launch a Java program which successfully executes a sudo command in a sub-process. But from a Java servlet, the code fails with this error from the sudo executable: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? which means that somehow, the tomcat process was unable or unwilling to honor the setuid flag of the sudo command. Is it a special security measure ? If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service packaging? In systemd config? And is there any configuration option to relax it? Thanks, Claude - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org