Changing the ownership of an existing process on Linux

Question

Changing the ownership of an existing process on Linux

I would like to start tomcat (Web Server) as a privileged user, and then return it to the unprivileged user after it starts. Is there a way to do this programmatically or generally with Linux?

Thanks.

+6

linux tomcat redhat

rudle Jan 9 '09 at 17:21

source share

6 answers

The appropriate system call you need is setuid(2) , but it is not displayed by any of the Java APIs.

It's easy to write a JNI shell that would give it access, although even then you would need to find a suitable place in Tomcat's startup codes to call setuid after the bind(2) calls (those that usually require root privileges) were called.

As recommended by geocar , you can use authbind so that Tomcat never starts as root.

Alternatively, since you supposedly got root access on the appropriate server, just run Tomcat on an unprivileged port and then use t24 tweaks to forward incoming requests from the privileged port to the one Tomcat is actually listening to. See this SO post for information on how to do this.

+4

Alnitak Jan 9 '09 at 19:11

source share

You can do this in your own application code through a system call, seteuid ( http://www.opengroup.org/onlinepubs/009695399/functions/seteuid.html ), but by doing this through a bash script or something else, I don’t sure. Why not just start the process as a regular user in the first place?

+1

Alex fort Jan 9 '09 at 17:25

source share

Although a process may waive its own privileges, I do not think that you can simply change the user of another running process.

0

Draemon Jan 9 '09 at 17:23

source share

Can you explain why , what do you want to do? As a rule, it is better to identify the user who has the necessary privileges (see "The principle of least privilege" ) and run it as that user.

0

Charlie martin Jan 9 '09 at 18:01

source share

You can create a separate program that starts with root privileges (for example, using binary setuid), whether it does work that needs privileges, reduces privileges with setuid, and finally execs tomcat.

Depending on what problem you are trying to solve, this may or may not be a solution. For example. if you need to start the server with a higher priority, this will work.

0

matli Jan 9 '09 at 18:49

source share

geocar · Accepted Answer · 2009-01-09T18:20:45+0000

I know kchuid that does just that, and although it seems abandoned, it doesn't seem like it will be hard to update.

However, the hosting company I'm working on allows (on hosting) users to run their own web server, including Tomcat on port 80. This is done using the authbind tool, which does not require the server to run as root, but simply allows non-root users bind to selected IP addresses and selected ports.

The only catch is that authbind will not work by default with the Java network abstraction layer. You need to disable Java IPV6 support and possibly specify a specific IP address to bind to your application. The former can be done by running the JRE with -Djava.net.preferIPv4Stack=true , but the latter will be application specific.

Changing the ownership of an existing process on Linux

More articles: