Re : Java, JNI and UNIX root effective user id

[Phill Tadman]

Hi everybody

Can I get a java application to execute with root effective user id when
run by a normal user under unix ?


I'm trying to use a third party c++ native API to access some fibre
channel disks.

I've created a c++ wrapper for this API, and can call into the wrapper
via JNI from my java application.

Given that the API would normally be called from an application that was
running with root effective user id eg:

% chown root application; chmod u+s application
% ls -l application
-rwsrwxr-x 1 root owner

I'm guessing that my java/jni combination will also need to run with
root euid to access the API correctly


Any ideas would be greatly appreciated

Phill Tadman

 

[Gordon Beaton]

Can I get a java application to execute with root effective user id
when run by a normal user under unix ? [...]
Given that the API would normally be called from an application that
was running with root effective user id eg:

There isn't anything in your post to indicate that it really is
necessary to run the application as root, and unless that's really the
case you shouldn't do it. Do these disks not have regular filesystems
that can be accessed by normal users?

Whatever you do, don't make the JVM executable setuid because that
would give root privileges to every java application.

Simplest is probably to write a small setuid program to launch the
java application. Sudo comes to mind here, but since every java
application uses the same executable I'm not sure it can't be misused
to run other java applications than the intended one, so you probably
need to write your own launcher with a hardcoded command line. At any
rate, it's important that it clear the user's CLASSPATH before it
launches java, and you need to make sure that all of the application's
classfiles are under your control.

/gordon

 

[Phill Tadman]

Can I get a java application to execute with root effective user id
when run by a normal user under unix ?
[...]

Given that the API would normally be called from an application that
was running with root effective user id eg:

There isn't anything in your post to indicate that it really is
necessary to run the application as root, and unless that's really the
case you shouldn't do it. Do these disks not have regular filesystems
that can be accessed by normal users?

Whatever you do, don't make the JVM executable setuid because that
would give root privileges to every java application.

Simplest is probably to write a small setuid program to launch the
java application. Sudo comes to mind here, but since every java
application uses the same executable I'm not sure it can't be misused
to run other java applications than the intended one, so you probably
need to write your own launcher with a hardcoded command line. At any
rate, it's important that it clear the user's CLASSPATH before it
launches java, and you need to make sure that all of the application's
classfiles are under your control.

/gordon

Hi gordon - many thanks for your response

No, the disks dont have a normal file system on them, its a proprietry
format.

I've tried launching a setuid program that launches a java app that
itself calls native code to output the result of geteuid, but this still
shows the real user id

Phill

 

[Gordon Beaton]

I've tried launching a setuid program that launches a java app that
itself calls native code to output the result of geteuid, but this
still shows the real user id

Maybe you need to set the "true" uid and gid.

Anyway doing so works for me:

$ java Whoami
uid: 456
gid: 100
euid: 456
egid: 100

$ asroot java Whoami
uid: 0
gid: 0
euid: 0
egid: 0

Whoami calls 4 native methods that in turn call getuid() (etc). asroot
has both setuid and setgid bits set, but before calling execvp() it
does this:

setuid(geteuid());
setgid(getegid());

/gordon

 

[Phill Tadman]

Maybe you need to set the "true" uid and gid.

Anyway doing so works for me:

$ java Whoami
uid: 456
gid: 100
euid: 456
egid: 100

$ asroot java Whoami
uid: 0
gid: 0
euid: 0
egid: 0

Whoami calls 4 native methods that in turn call getuid() (etc). asroot
has both setuid and setgid bits set, but before calling execvp() it
does this:

setuid(geteuid());
setgid(getegid());

/gordon

Thanks gordon,

the setuid( getuid() ) does the trick

Phill