Milt Epstein wrote:
> I was sure this had come up before, but I couldn't find anything about
> it on the archives (well, when I could get through to the archives).
>
> Basically, I'm wondering how people are dealing with the situation
> where a servlet needs to access some files whose access is
> restricted (via file permissions; I guess this is most/only applicable
> in a UNIX environment).
>
> The standard thing might be to run the servlet engine as the same
> user/group as the web server (e.g. nobody), that user being one with
> very limited permissions on the system. But then the servlets
> wouldn't have access to any restricted files.
>
> The other extreme would be to run the servlet engine as root, in which
> case the servlets would have access to everything. But that probably
> is not advisable.
>
> Other suggestions?
>
No matter what, you are going to have to run the servlet engine under a
username that has access to the files that your servlets need. It might be
possible to set up an appropriate group or something, but the details are
pretty application dependent.
Beyond that, in a Java2 environment you can also use the policy settings to
limit which files the servlet engine can access, even if the operating system
allows it. The servlet engine would run under a username with enough OS-level
permissions to do the access, but the policies might limit which directories
can be used, or what file operations can be done. NOTE: This does not help
you if you call native methods, which will still be limited only by the OS
permissions.
>
> Thanks.
>
> Milt Epstein
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
