File uploaded under 'nobody' uid on linux

Discussion in 'Java' started by ruds, May 18, 2011.

  1. ruds

    ruds Guest

    Hi,
    I have a web application in which users upload files and later I
    convert them to pdf's using jodconverter.
    What I have found is, when users upload files they are stored under
    'nobody's' uid on linux.
    Let me give you a back ground of my webapp.
    tomcat is under /root/apache* directory, I have given a link to actual
    source files and uploaded files stored in the webapps directory of
    apache.
    The actual files are stored under another users home/projects
    directory.
    So when a web user uploads some files it is being stored at above
    mentioned location and when I want to convert the files to pdf I'm am
    not having write permissions to the files as the UID for these files
    is 65534.
    Now, please tell me what should I do so that whenever files are
    uploaded they are stored with the user's name where all code and other
    files are stored.
     
    ruds, May 18, 2011
    #1
    1. Advertising

  2. ruds

    Lew Guest

    ruds wrote:
    > I have a web application in which users upload files and later I
    > convert them to pdf's [sic] using jodconverter.
    > What I have found is, when users upload files they are stored under
    > 'nobody's' [sic] uid on linux [sic].
    > Let me give you a back ground of my webapp.
    > tomcat is under /root/apache* directory, I have given a link to actual
    > source files and uploaded files stored in the webapps directory of
    > apache.
    > The actual files are stored under another users home/projects
    > directory.
    > So when a web user uploads some files it is being stored at above
    > mentioned location and when I want to convert the files to pdf I'm am
    > not having write permissions to the files as the UID for these files
    > is 65534.
    > Now, please tell me what should I do so that whenever files are
    > uploaded they are stored with the user's name where all code and other
    > files are stored.


    That depends in great measure on the deployment environment (Tomcat?
    WebSphere?), but ultimately on what user ID the application runs under.
    Presumably it's running as 'nobody', right?

    This is actually a Linux question - check your HOW-TOs and the documentation
    for your application server. I usually just run the startup script under the
    desired user ID.

    Another thing you can do is run a 'chmod' script that's setuid to root.

    --
    Lew
    Honi soit qui mal y pense.
    http://upload.wikimedia.org/wikipedia/commons/c/cf/Friz.jpg
     
    Lew, May 18, 2011
    #2
    1. Advertising

  3. ruds

    Lew Guest

    On 05/18/2011 01:17 PM, Lew wrote:
    > ruds wrote:
    >> I have a web application in which users upload files and later I
    >> convert them to pdf's [sic] using jodconverter.
    >> What I have found is, when users upload files they are stored under
    >> 'nobody's' [sic] uid on linux [sic].
    >> Let me give you a back ground of my webapp.
    >> tomcat is under /root/apache* directory, I have given a link to actual
    >> source files and uploaded files stored in the webapps directory of
    >> apache.
    >> The actual files are stored under another users home/projects
    >> directory.
    >> So when a web user uploads some files it is being stored at above
    >> mentioned location and when I want to convert the files to pdf I'm am
    >> not having write permissions to the files as the UID for these files
    >> is 65534.
    >> Now, please tell me what should I do so that whenever files are
    >> uploaded they are stored with the user's name where all code and other
    >> files are stored.

    >
    > That depends in great measure on the deployment environment (Tomcat?
    > WebSphere?), but ultimately on what user ID the application runs under.
    > Presumably it's running as 'nobody', right?
    >
    > This is actually a Linux question - check your HOW-TOs and the documentation
    > for your application server. I usually just run the startup script under the
    > desired user ID.
    >
    > Another thing you can do is run a 'chmod' script that's setuid to root.


    Oops - 'chown' script. Or both.

    --
    Lew
    Honi soit qui mal y pense.
    http://upload.wikimedia.org/wikipedia/commons/c/cf/Friz.jpg
     
    Lew, May 18, 2011
    #3
  4. ruds

    ruds Guest

    When I execute the ps command, this is what I get:
    root 9161 1 0 May16 ? 00:03:04
    -classpath /root/apache-tomcat-6.0.29/bin/tomcat-juli.jar:/root/apache-
    tomcat-6.0.29/bin/bootstrap.jar:/root/apache-tomcat-6.0.29/webapps
    /FIR/WEB-INF/classes -Dcatalina.base=/root/apache-tomcat-6.0.29 -
    Dcatalina.home=/root/apache-tomcat-6.0.29/bin -Djava.io.tmpdir=/root/
    apache-tomcat-6.0.29/temp org.apache.catalina.startup.Bootstrap start

    So isn't Tomcat running under root?
    I have given link to another location from the /root/apchec*/webapps
    directory which is present in another users home.
    So, when my webapp is storing documents should'nt store under this
    users id or root's by default? How come the uid is that of nobody?
     
    ruds, May 19, 2011
    #4
  5. ruds

    Nigel Wade Guest

    On 19/05/11 05:53, ruds wrote:
    > When I execute the ps command, this is what I get:
    > root 9161 1 0 May16 ? 00:03:04
    > -classpath /root/apache-tomcat-6.0.29/bin/tomcat-juli.jar:/root/apache-
    > tomcat-6.0.29/bin/bootstrap.jar:/root/apache-tomcat-6.0.29/webapps
    > /FIR/WEB-INF/classes -Dcatalina.base=/root/apache-tomcat-6.0.29 -
    > Dcatalina.home=/root/apache-tomcat-6.0.29/bin -Djava.io.tmpdir=/root/
    > apache-tomcat-6.0.29/temp org.apache.catalina.startup.Bootstrap start
    >
    > So isn't Tomcat running under root?


    That would be exceedingly dangerous. Maybe Tomcat has changed it's
    effective UID to "nobody" to avoid those dangers.

    > I have given link to another location from the /root/apchec*/webapps
    > directory which is present in another users home.
    > So, when my webapp is storing documents should'nt store under this
    > users id or root's by default? How come the uid is that of nobody?


    I doubt very much that it would write files as some arbitrary user,
    merely based on who owns the directory. It most likely writes files as
    user "nobody" because writing files owned by root into arbitrary
    directories, with odd modes, can be open to serious abuse.

    It may also be because the filesystem is mounted using NFS, and NFS is
    translating UID=0 to UID=65535 for security reasons.

    --
    Nigel Wade
     
    Nigel Wade, May 19, 2011
    #5
  6. In message
    <>, ruds
    wrote:

    > Now, please tell me what should I do so that whenever files are
    > uploaded they are stored with the user's name where all code and other
    > files are stored.


    On way is to activate this mechanism
    <http://httpd.apache.org/docs/current/suexec.html>.
     
    Lawrence D'Oliveiro, May 19, 2011
    #6
  7. ruds

    Lew Guest

    On 05/19/2011 05:50 AM, Lawrence D'Oliveiro wrote:
    > In message
    > <>, ruds
    > wrote:
    >
    >> Now, please tell me what should I do so that whenever files are
    >> uploaded they are stored with the user's name where all code and other
    >> files are stored.

    >
    > On way is to activate this mechanism
    > <http://httpd.apache.org/docs/current/suexec.html>.


    The OP has not stated that he's using httpd.

    --
    Lew
    Honi soit qui mal y pense.
    http://upload.wikimedia.org/wikipedia/commons/c/cf/Friz.jpg
     
    Lew, May 19, 2011
    #7
  8. In article <ir34lt$eqj$>, Lew <>
    wrote:

    > On 05/19/2011 05:50 AM, Lawrence D'Oliveiro wrote:
    > > In message
    > > <>, ruds
    > > wrote:
    > >
    > >> Now, please tell me what should I do so that whenever files are
    > >> uploaded they are stored with the user's name where all code and
    > >> other files are stored.

    > >
    > > On way is to activate this mechanism
    > > <http://httpd.apache.org/docs/current/suexec.html>.

    >
    > The OP has not stated that he's using httpd.


    Lew: This point is well taken, but the article _does_ outline the
    (myriad) security issues that ruds should consider.

    ruds: If you don't use httpd/suEXEC, you're likely going to have to
    create something similar.

    --
    John B. Matthews
    trashgod at gmail dot com
    <http://sites.google.com/site/drjohnbmatthews>
     
    John B. Matthews, May 20, 2011
    #8
  9. ruds

    Lew Guest

    John B. Matthews wrote:
    > Lew wrote:
    >> Lawrence D'Oliveiro wrote:
    >>> ruds wrote:
    >>>> Now, please tell me what should I do so that whenever files are
    >>>> uploaded they are stored with the user's name where all code and
    >>>> other files are stored.
    >>>
    >>> On way is to activate this mechanism
    >>> <http://httpd.apache.org/docs/current/suexec.html>.


    >> The OP has not stated that he's using httpd.


    > Lew: This point is well taken, but the article _does_ outline the
    > (myriad) security issues that ruds should consider.
    >
    > ruds: If you don't use httpd/suEXEC, you're likely going to have to
    > create something similar.


    I use Tomcat a lot. I always run it as a non-privileged user, with the
    installation directory tree under that same user's ownership. This "nobody"
    issue has never arisen under that configuration for me.

    I also run it as a multi-instance installation
    <http://tomcat.apache.org/tomcat-6.0-doc/introduction.html>
    <http://tomcat.apache.org/tomcat-7.0-doc/introduction.html>
    "Optionally, Tomcat may be configured for multiple instances by defining
    $CATALINA_BASE for each instance."

    One useful approach is to set CATALINA_BASE to $HOME/.tomcat or similar
    directory within the home directory of each designated Tomcat user.

    See the section "Advanced Configuration - Multiple Tomcat Instances" in the
    $CATALINA_HOME/RUNNING.txt file.

    --
    Lew
    Honi soit qui mal y pense.
    http://upload.wikimedia.org/wikipedia/commons/c/cf/Friz.jpg
     
    Lew, May 20, 2011
    #9
  10. In article <ir4iih$fos$>, Lew <>
    wrote:

    > John B. Matthews wrote:
    > > Lew wrote:
    > >> Lawrence D'Oliveiro wrote:
    > >>> ruds wrote:
    > >>>> Now, please tell me what should I do so that whenever files are
    > >>>> uploaded they are stored with the user's name where all code and
    > >>>> other files are stored.
    > >>>
    > >>> On way is to activate this mechanism
    > >>> <http://httpd.apache.org/docs/current/suexec.html>.

    >
    > >> The OP has not stated that he's using httpd.

    >
    > > Lew: This point is well taken, but the article _does_ outline the
    > > (myriad) security issues that ruds should consider.
    > >
    > > ruds: If you don't use httpd/suEXEC, you're likely going to have to
    > > create something similar.

    >
    > I use Tomcat a lot. I always run it as a non-privileged user, with
    > the installation directory tree under that same user's ownership.
    > This "nobody" issue has never arisen under that configuration for me.
    >
    > I also run it as a multi-instance installation
    > <http://tomcat.apache.org/tomcat-6.0-doc/introduction.html>
    > <http://tomcat.apache.org/tomcat-7.0-doc/introduction.html>
    > "Optionally, Tomcat may be configured for multiple instances by
    > defining $CATALINA_BASE for each instance."
    >
    > One useful approach is to set CATALINA_BASE to $HOME/.tomcat or
    > similar directory within the home directory of each designated Tomcat
    > user.
    >
    > See the section "Advanced Configuration - Multiple Tomcat Instances"
    > in the $CATALINA_HOME/RUNNING.txt file.


    I like this; thank you for the pointer.

    --
    John B. Matthews
    trashgod at gmail dot com
    <http://sites.google.com/site/drjohnbmatthews>
     
    John B. Matthews, May 20, 2011
    #10
  11. ruds

    ruds Guest

    Tomcat is being run under root user. But my file location are in
    another users home and it is in root group.
    So, I cannot use suExec as it does not allow root goup users to run
    the program.
    I'm still not able to understand how does files get uploaded under
    nobody'd uid?

    Please help.
     
    ruds, May 24, 2011
    #11
  12. ruds

    Lew Guest

    ruds wrote:
    > Tomcat is being run under root user. But my file location are in
    > another users home and it is in root group.
    > So, I cannot use suExec as it does not allow root goup users to run
    > the program.
    > I'm still not able to understand how does files get uploaded under
    > nobody'd uid?
    >
    > Please help.


    It has already been suggested that you not run Tomcat under root user. It has
    been proffered that that is possibly why it's using "nobody" as the user. Did
    you try that solution?

    To refresh your memory:

    ruds wrote:
    >> So isn't Tomcat running under root?


    Nigel Wade wrote:
    > That would be exceedingly dangerous. Maybe Tomcat has changed its
    > effective UID to "nobody" to avoid those dangers.


    Let us know how that works for you, something you have not done so far.

    --
    Lew
    Honi soit qui mal y pense.
    http://upload.wikimedia.org/wikipedia/commons/c/cf/Friz.jpg
     
    Lew, May 24, 2011
    #12
  13. In article <irg733$633$>, Lew <>
    wrote:

    > ruds wrote:
    > > Tomcat is being run under root user. But my file location are in
    > > another users home and it is in root group. So, I cannot use suExec
    > > as it does not allow root goup users to run the program. I'm still
    > > not able to understand how does files get uploaded under nobody'd
    > > uid?
    > >
    > > Please help.

    >
    > It has already been suggested that you not run Tomcat under root
    > user. It has been proffered that that is possibly why it's using
    > "nobody" as the user. Did you try that solution?
    >
    > To refresh your memory:
    >
    > ruds wrote:
    > >> So isn't Tomcat running under root?

    >
    > Nigel Wade wrote:
    > > That would be exceedingly dangerous. Maybe Tomcat has changed its
    > > effective UID to "nobody" to avoid those dangers.

    >
    > Let us know how that works for you, something you have not done so far.


    ruds: It would also help to clarify the goal as it relates to security,
    e.g. one user v. many, known user(s) v. unknown, etc.

    --
    John B. Matthews
    trashgod at gmail dot com
    <http://sites.google.com/site/drjohnbmatthews>
     
    John B. Matthews, May 24, 2011
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt G
    Replies:
    1
    Views:
    1,204
    Deepak Kumar Vasudevan
    Aug 22, 2003
  2. David C
    Replies:
    2
    Views:
    317
    John Saunders
    Dec 17, 2004
  3. G Dean Blake

    Bet nobody is smart enough to solve this!!

    G Dean Blake, Jan 15, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    413
    G Dean Blake
    Jan 15, 2005
  4. bronby
    Replies:
    1
    Views:
    674
    Andrew Thompson
    Jul 15, 2005
  5. Michael Vilain
    Replies:
    7
    Views:
    497
    Michael Vilain
    Feb 18, 2013
Loading...

Share This Page