Joakim
As you were mentioning using setuid in an embedded environment is unusual. I can report that (providing you wait until you’ve started all of your servers etc and you don’t have apache installed on your desktop machine [I’ve been having
fun!]), using System.load(libsetuid-linux-1.0.0.so) and setuid(1000) works like a charm!
A very easy way of reducing privileges.
Once again thanks for your pointers, they really helped!
-medge
From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx]
On Behalf Of Martin Edge
Sent: Tuesday, 4 March 2014 16:17
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so
! Wrong package, should have paid more attention to the nm –D output (and realised the package name was important).
Thanks for your help though.
-medge
From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx]
On Behalf Of Martin Edge
Sent: Tuesday, 4 March 2014 15:36
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so
Ok. Thanks for the links I used the tool chain one for my initial work. Obviously I am missing something, but I can’t see what it is.
Firstly overridden doStart() with:
@Override
public void doStart() throws Exception {
super.doStart();
String os = System.getProperty("os.name").toLowerCase();
if (!os.contains("win")) { <-- IE we are not testing on our development machines.
if (gid != 0) {
SetUID.setgid(gid); // <-- Fails her
}
if (uid != 0) {
SetUID.setuid(uid);
Passwd pw = SetUID.getpwuid(uid);
System.setProperty("user.name", pw.getPwName());
System.setProperty("user.home", pw.getPwDir());
}
}
}
I grabbed the source for setuid (etc) and cut setuid down to this (As we are running this on linux only):
package au.edu.satac.utilities.setuid;
import au.edu.satac.business.utilities.SATACLogger;
import au.edu.satac.business.utilities.SLogger;
import au.edu.satac.utilities.SATACWebConfig;
import java.io.File;
/**
* Class is for changing user and groupId, it can also be use to retrieve user
* information by using getpwuid(uid) or getpwnam(username) of both linux and
* unix systems
*/
public class SetUID {
private static final SLogger logger = SATACLogger.getLogger(SetUID.class);
public static final String FILENAME = "libsetuid";
public static final int OK = 0;
public static final int ERROR = -1;
public static native int setumask(int mask);
public static native int setuid(int uid);
public static native int setgid(int gid);
public static native Passwd getpwnam(String name) throws SecurityException;
public static native Passwd getpwuid(int uid) throws SecurityException;
public static native Group getgrnam(String name) throws SecurityException;
public static native Group getgrgid(int gid) throws SecurityException;
public static native RLimit getrlimitnofiles();
public static native int setrlimitnofiles(RLimit rlimit);
private static void loadLibrary() {
String setuidLib = “/usr/local/satacweb/lib/libsetuid-linux-1.0.0.so”;
// String setuidLib = SATACWebConfig.getConfig().getSetUIDLib(); // Ready to some sort of dynamic mapping
if(setuidLib!=null) {
File f = new File(setuidLib);
if(f.exists()) {
System.load(setuidLib);
// Runtime.getRunTime().load(setuidLib);
} else {
logger.fatal(setuidLib + " not found");
}
} else {
logger.info("SetUID lib isn't set");
}
}
static {
loadLibrary();
}
}
I’ve cut the whole thing down even more into a test case:
package au.edu.satac;
import au.edu.satac.utilities.setuid.SetUID;
/**
*
* @author satmje
*/
public class MainClass {
public static void main(String[] args) {
SetUID.setuid(1001);
}
}
And (the supporting classes are unchanged)
package au.edu.satac.utilities.setuid;
public class SetUID {
public static final String FILENAME = "libsetuid";
public static final int OK = 0;
public static final int ERROR = -1;
public static native int setumask(int mask);
public static native int setuid(int uid);
public static native int setgid(int gid);
public static native Passwd getpwnam(String name) throws SecurityException;
public static native Passwd getpwuid(int uid) throws SecurityException;
public static native Group getgrnam(String name) throws SecurityException;
public static native Group getgrgid(int gid) throws SecurityException;
public static native RLimit getrlimitnofiles();
public static native int setrlimitnofiles(RLimit rlimit);
private static void loadLibrary() {
System.load("/usr/local/satacweb/lib/libsetuid-linux-1.0.0.so");
// Runtime.getRuntime().load("/usr/local/satacweb/lib/libsetuid-linux-1.0.0.so");
}
static {
loadLibrary();
}
}
From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx]
On Behalf Of Joakim Erdfelt
Sent: Tuesday, 4 March 2014 14:58
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so
ok, let me try this again...
HOW are you attempting/doing this? details please.
All of the various relevant paths (class/lib/security/os/etc)?
Environment details at runtime?
Expert advice, services and support from from the Jetty & CometD experts
On Mon, Mar 3, 2014 at 8:02 PM, Martin Edge <martin.edge@xxxxxxxxxxxx> wrote:
Open port 80 as root and them su to a lower privileged user.
From:
jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx]
On Behalf Of Joakim Erdfelt
Sent: Tuesday, 4 March 2014 13:27
To: JETTY user mailing list
Subject: Re: [jetty-users] libsetuid.so
Can you provide more details on what you are trying to do?
As mixing libsetuid.so and jetty embedded would be a first.
Expert advice, services and support from from the Jetty & CometD experts
On Mon, Mar 3, 2014 at 6:24 PM, Martin Edge <martin.edge@xxxxxxxxxxxx> wrote:
Having trouble running this in an embedded environment. It is finding the file, but reporting “UnsatisfiedLinkError”
Using jetty 9.1.2 on Linux.
Has anyone got this working, or does everyone use redirects?
Medge
Database and Applications Administrator
_______________________

Telephone (08) 8224 4045
Facsimile (08) 8224 4099
www.satac.edu.au
This email message is intended only for the addressee(s) and
contains information that may be confidential and/or copyright.
If you are not the intended recipient please notify the sender
by reply email and immediately delete this email. Use, disclosure
or reproduction of this email by anyone other than the intended
recipient(s) is strictly prohibited. No representation is made that
this email or any attachments are free of viruses. Virus scanning
is recommended and is the responsibility of the recipient.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users