Nathan Meyers wrote:
>
> You use 'forks' in quotes. Are they processes or threads? How were
> they created?
Proper Linux Processes, If you said "java Helloworld" for the simplest
of
code , 'ps uax ' will tell you 4 new Processes were Spawned , I am
guessing they are for the JVMs Internal book keeping and for executing
the code
> Nathan
>
> > one to handle the program itself and the other 3 to perform its
> > internal book-keeping (I think), Now within the Server, I am calling
> > setuid() to change EUIDS so that I can continue running as nobody
> > after having 'bound' myself to the System Socket, since my Server
> > had been 'forked' by JVM the change in EUID is confined to the Server
> > only (obviously). The other 'processes' forked are still holding root
> > privileges (which precisely is the itch).
> >
> > I did a 'netstat' for the Port I was listening on and verified that the
> > Process listening on the particular port had indeed changed EUIDS and
> > lost its root privileges. However when I used 'fuser' for the same tcp
> > port I got the 4 processes of which 3 are root and one was nobody.
> >
> > Now I have serious reservations of the Server I am trying to Write.
> > Would anybody know how I can get ALL the processes to drop their root
> > priveleges ? This is really showing my 'greenness' in terms of writing
> > a secure Java app for Linux.
> >
> > Thank you for your time and Patience .. Sorry I did not bring this
> > up earlier, I could not have possibly known.
> >
> > > I have a few more questions, I hope you will take some time off to clear
> > > them >>
> > >
> > > > I think that yau can do almost all or all in Java, without native code.
> > >
> > > Now I am really Interested :)
> > >
> > > > -First if you start the server from the SysV scripts you can simply use
> > > > nohup(see man nohup) so you won't be associated with the terminal.
> > >
> > > > -I don't know any way of changing EUIDs of the JavaVM/separate thread in
> > > > runtime, but you you can write your won SecurityManager( see the API
> > > > spec./Tutorial for info & examples). IMHO this is very flexible. This will
> > >
> > > Could you please elaborate I am afraid I am not very clear about how
> > > exactly you visualize this Implementation.
> > >
> > > > solve the problem with standard file descriptors too.
> > > Are you talking about closing the Standard file descriptor for IO ?
> > >
> > > > -The problem with memory leaks is more difficult. I'm not conserced with the
> > > > state of the current JDK - I don't now if or/and where it leaks. But if you
> > > > mean leaks in your code maybe you could just have the critical memory collected
> > > > by the GC. I mean remove the critical object(s)/thread(s) and instance new
> > > > one(s).
> > >
> > > I was worried about the entire JVM but I guess I will put this issue on
> > > the backburner for a while, I'll let the script wait on the POp Server
> > > and then
> > > have the Server serve n connections & exit itself, the script can then
> > > restart it.
> > >
> > > Thank you for the feedback ...
> > >
> > > >
> > > > Hope that helps.
> > > >
> > > > Yavor
> > >
> > > ----------------------------------------------------------------------
> > > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> >
> >
> > ----------------------------------------------------------------------
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
> ----------------------------------------------------------------------
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
----------------------------------------------------------------------
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
