Date: Mon, 26 Aug 2002 16:12:04 -0700 (PDT) From: Dan Hulme <dan_256@yahoo.com> To: K.J.Koster@kpn.com, znerd@FreeBSD.ORG, freebsd-java@FreeBSD.ORG Subject: RE: Jboss3ctl update (I think I know the problem) Message-ID: <20020826231204.23827.qmail@web13406.mail.yahoo.com> In-Reply-To: <59063B5B4D98D311BC0D0001FA7E452205FDA940@l04.research.kpn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0-477509571-1030403524=:23825 Content-Type: text/plain; charset=us-ascii He's right, you can't SUID a script. But this is precisely the problem because the .java_wrapper script itself can never set the environment variables. So, even if you could SUID the script, it would still have the same problem that the "real user" is not the "effective user." The only real solution is to make java not require the .java_wrapper script, because only then can you run the binary as another (non-root) user. As long as the .java_wrapper script sets up an environment for java each time it is run, no SUID program will work, because that ENV will be ignored. SUID does not work in either case. It does SUID with the C program, but that doesn't help because the ENV will die in that case. Either way is broken. Static Java anyone? -Dan K.J.Koster@kpn.com wrote:Dear Ernst, > > > Ernst, perhaps you should revert to the daeminctl shell > > script instead of > > the executable. The fact that the log paths are compiled into an > > executable is a pain in the ass and in the end I still have > > to start and stop Orion as root. > > Yeah, but the reason I switched to a C-based program, is that > a shell script cannot be made SUID :-\ > Well, it still does not work SUID. :-/ > > Anybody have an alternative solution??? > Perhaps you could set LD_CONFIG_PATH explicitly. This is a security risk, so you may have to discuss the implications of doing so on -hackers. Also, it may be JDK dependent where that lib direcory resides. Kees Jan ===================================================== You can't have everything. Where would you put it? [Steven Wright] --------------------------------- Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes --0-477509571-1030403524=:23825 Content-Type: text/html; charset=us-ascii <P>He's right, you can't SUID a script. But this is precisely the problem because the .java_wrapper script itself can never set the environment variables. So, even if you could SUID the script, it would still have the same problem that the "real user" is not the "effective user." The only real solution is to make java not require the .java_wrapper script, because only then can you run the binary as another (non-root) user. <P>As long as the .java_wrapper script sets up an environment for java each time it is run, no SUID program will work, because that ENV will be ignored. SUID does not work in either case. It does SUID with the C program, but that doesn't help because the ENV will die in that case. Either way is broken. Static Java anyone? <P>-Dan <P> <B><I>K.J.Koster@kpn.com</I></B> wrote: <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Dear Ernst,<BR><BR>> <BR>> > Ernst, perhaps you should revert to the daeminctl shell <BR>> > script instead of<BR>> > the executable. The fact that the log paths are compiled into an<BR>> > executable is a pain in the ass and in the end I still have <BR>> > to start and stop Orion as root.<BR>> <BR>> Yeah, but the reason I switched to a C-based program, is that <BR>> a shell script cannot be made SUID :-\<BR>><BR>Well, it still does not work SUID. :-/<BR><BR>><BR>> Anybody have an alternative solution???<BR>><BR>Perhaps you could set LD_CONFIG_PATH explicitly. This is a security risk, so<BR>you may have to discuss the implications of doing so on -hackers. Also, it<BR>may be JDK dependent where that lib direcory resides.<BR><BR>Kees Jan<BR><BR>=====================================================<BR>You can't have everything. Where would you put it?<BR>[Steven Wright]</BLOCKQUOTE><p><br><hr size=1><b>Do You Yahoo!?</b><br> <a href="http://rd.yahoo.com/finance/mailsig/new/*http://finance.yahoo.com">Yahoo! Finance</a> - Get real-time stock quotes --0-477509571-1030403524=:23825-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-java" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020826231204.23827.qmail>