Re: running servlets as fileowner
thank you very much :-) just one question is left: when you said have to modify the jvm to support uid/gid per thread do you mean, that we have to change something in the source code or what? because, i have no idea how i have to setup such RMI things. 2009/7/16 Jason Pyeron jpye...@pdinc.us -Original Message- From: Jan-Florian Hilgenberg Sent: Thursday, July 16, 2009 12:10 Subject: running servlets as fileowner hi mailinglist, is there a way to run servlets as the fileowner of the servlet - like suphp on lamp environments. thank you for your help The first issue you are going to run into is that Java does not support setting the uid/gid, and you would have to modify the jvm to support uid/gid per thread. Now apache/php works differently: apache launches a child process (php) each process can have different uid/gid. To do this you would have to do a RMI type thing, have a master service running as root, accepting connections, then launching subordinate processes as the desired uid/gid to execute the code (of course this is all happening in a different JVM) -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running servlets as fileowner
Jan-Florian Hilgenberg wrote: thank you very much :-) just one question is left: when you said have to modify the jvm to support uid/gid per thread do you mean, that we have to change something in the source code or what? because, i have no idea how i have to setup such RMI things. Just a Java dummy bumping in here. I think that the (qualified) answer which you received previously basically meant no, you can't do that. Modifying indeed the JVM to allow it to start a thread with a different uid/gid, would probably be not trivial, specially considering all the security aspects of ditto. The RMI thing would mean, for instance, that you start a separate server process under a separate JVM, running under the other uid/gid, and then from your own server, you call these applications via Remote Method Invocation. Anyway, not something trivial for me, and maybe not anymore for you. Another idea that could be tried however, assuming you really need to run this application under another uid/gid : - run 2 separate Tomcats : - a Tomcat1 running under the normal uid/gid, and running the standard applications - a Tomcat2 running under the special uid/gid, only for this special application - install an Apache httpd as a front-end to your 2 Tomcat's - use this front-end Apache httpd as a proxy to distribute the calls to your two back-end Tomcats : the calls to this special app go to Tomcat 2, the calls to the other webapps go to Tomcat1. As proxying module, you can use either one of mod_proxy (HTTP), mod_proxy_ajp, or mod_jk. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running servlets as fileowner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan, On 7/16/2009 12:10 PM, Jan-Florian Hilgenberg wrote: is there a way to run servlets as the fileowner of the servlet - like suphp on lamp environments. As Jason and André have said, this is essentially not possible. On the other hand, I suspect you are trying to do something specific -- not simply getting a thread to run as a particular uid. If you tell us what you're /really/ trying to do, we may be able to offer alternative suggestions. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpghDoACgkQ9CaO5/Lv0PBLKQCfZY/wj/kI+0dtFqCrlHGIYJFt FxUAn3QoDGk6OX/bUKfEQyBw+ncWAjQS =iD6j -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running servlets as fileowner
thank you for your explanation, andré @chris - i need to offer jsp for some customers in a shared hosting environment. and i have to reach a high security level in this case (comparison with php-cgi + suexec/suphp) have a nice weekend 2009/7/17 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan, On 7/16/2009 12:10 PM, Jan-Florian Hilgenberg wrote: is there a way to run servlets as the fileowner of the servlet - like suphp on lamp environments. As Jason and André have said, this is essentially not possible. On the other hand, I suspect you are trying to do something specific -- not simply getting a thread to run as a particular uid. If you tell us what you're /really/ trying to do, we may be able to offer alternative suggestions. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpghDoACgkQ9CaO5/Lv0PBLKQCfZY/wj/kI+0dtFqCrlHGIYJFt FxUAn3QoDGk6OX/bUKfEQyBw+ncWAjQS =iD6j -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: running servlets as fileowner
From: Jan-Florian Hilgenberg [mailto:florianhilgenb...@googlemail.com] Subject: Re: running servlets as fileowner @chris - i need to offer jsp for some customers in a shared hosting environment. and i have to reach a high security level in this case (comparison with php-cgi + suexec/suphp) Then run a separate Tomcat instance for each customer, as previously suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: running servlets as fileowner
-Original Message- From: Jan-Florian Hilgenberg Sent: Thursday, July 16, 2009 12:10 Subject: running servlets as fileowner hi mailinglist, is there a way to run servlets as the fileowner of the servlet - like suphp on lamp environments. thank you for your help The first issue you are going to run into is that Java does not support setting the uid/gid, and you would have to modify the jvm to support uid/gid per thread. Now apache/php works differently: apache launches a child process (php) each process can have different uid/gid. To do this you would have to do a RMI type thing, have a master service running as root, accepting connections, then launching subordinate processes as the desired uid/gid to execute the code (of course this is all happening in a different JVM) -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
