SUMMARY: how can a java prg run as root without launching it as root ?

From: Sabrina LAUTIER <sabrina.lautier_at_imaginebroadband.com>
Date: Mon Jul 16 2001 - 08:45:44 EDT
This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C10E05.FE74B010
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Thank you for the responses. Sorry for the late summary.

The answer is short: sudo does the job perfectly !
Developers can now run their prg using the following syntax:
$sudo $APP_PATH/<script>

I still need to work on a few issues such as enabling users to run this sudo
command from anywhere under their home directory (without having to specify
it in the sudoers file !)

The sudoers file looks like that:
****************************************************************************
********************
# User alias specification
User_Alias      TOTO_PRJ = toto
..
# Cmnd alias specification
Cmnd_Alias      START_TOTO = /export/projects/toto/totoBackend/toto_starter
..
# User privilege specification
..
TOTO_PRJ        ALL = NOPASSWD: START_TOTO
****************************************************************************
********************
In the above example, I've specified a full path to the toto_starter script,
but this script can be anywhere in the project's home directory !
APP_PATH can be anything starting with /export/projects/toto/ :
Ex:
APP_PATH = /export/projects/toto/tutu/toto_starter
APP_PATH = /export/projects/toto/a/b/toto_starter
... etc.

Thanks all for help and suggestions

Sabrina LAUTIER

Original Post
> Hello,
> A developer team is working on a java application that needs to bind to
port 67 (we absolutely can't change it as it's constructor depend).
> I know that only root can bind to port number lower than 1024 but I don't
want anybody in the developer team to know the root password !!
> In other words: how can this prg run as root without launching it as root
?
> Can 'sudo' or 'SUID bit' solve the problem given that this is a java
program ??

> The starting script looks like:
> ****************************************
> #!/usr/local/bin/bash

>
CLASSPATH=/export/projects/toto/totoBackend/Sources:/export/projects/toto/to
toBackend/Libraries/xerces.jar...
> export CLASSPATH
> java com.imaginebroadband.BackendStarter
> ****************************************

------=_NextPart_000_0006_01C10E05.FE74B010
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>Thank you for the respon<SPAN=20
class=3D660085211-16072001>s</SPAN>es. Sorry for the late =
summary.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D660085211-16072001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D660085211-16072001>The =
answer is short:=20
sudo does the job perfectly !</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D660085211-16072001>Developers can now=20
run their&nbsp;prg using the following syntax:</SPAN></FONT></DIV>
<DIV><FONT face=3DCourier size=3D2><SPAN =
class=3D660085211-16072001><STRONG>$sudo=20
$APP_PATH/&lt;script&gt;</STRONG></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D660085211-16072001></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D660085211-16072001>I =
still need to work=20
on&nbsp;a few issues such as enabling users to run this sudo command =
from=20
anywhere under their home directory (without having to specify it in the =
sudoers=20
file !)</SPAN></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D660085211-16072001>The =
sudoers file=20
looks like that:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D660085211-16072001>**********************************************=
**************************************************</SPAN></FONT></DIV>
<DIV><FONT face=3DCourier size=3D2><SPAN class=3D660085211-16072001># =
User alias=20
specification<BR>User_Alias&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TOTO_PRJ =3D=20
toto</SPAN></FONT></DIV>
<DIV><FONT face=3DCourier size=3D2><SPAN=20
class=3D660085211-16072001>..</SPAN></FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D660085211-16072001><FONT =
face=3DCourier size=3D2><SPAN=20
class=3D660085211-16072001># Cmnd alias=20
specification</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DCourier size=3D2><SPAN=20
class=3D660085211-16072001>Cmnd_Alias&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
START_TOTO =3D=20
<STRONG>/export/projects/toto/totoBackend/toto_starter</STRONG></SPAN></F=
ONT></DIV>
<DIV><FONT face=3DCourier size=3D2><SPAN=20
class=3D660085211-16072001>..</SPAN></FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D660085211-16072001><FONT =
face=3DCourier size=3D2><SPAN=20
class=3D660085211-16072001># User privilege specification<BR><FONT=20
face=3DArial>..</FONT><BR>TOTO_PRJ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; ALL =3D=20
NOPASSWD: START_TOTO</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D660085211-16072001><FONT =
face=3DArial=20
size=3D2><SPAN=20
class=3D660085211-16072001>**********************************************=
**************************************************</SPAN></FONT></SPAN></=
FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D660085211-16072001>In =
the&nbsp;above=20
example, I've specified a full path to the toto_starter script, but this =
script=20
can be anywhere in the project's home directory !</SPAN></FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DArial>APP_PATH<SPAN =
class=3D660085211-16072001> can=20
be anything starting with /export/projects/toto/ =
:</SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DArial><SPAN=20
class=3D660085211-16072001>Ex:</SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DArial><SPAN =
class=3D660085211-16072001>APP_PATH =3D=20
/export/projects/toto/tutu/toto_starter</SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DArial><SPAN =
class=3D660085211-16072001><FONT=20
size=3D2><FONT face=3DArial><SPAN class=3D660085211-16072001>APP_PATH =
=3D=20
/export/projects/toto/a/b/toto_starter</SPAN></FONT></FONT></SPAN></FONT>=
</FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DArial><SPAN =
class=3D660085211-16072001><FONT=20
size=3D2><FONT face=3DArial><SPAN class=3D660085211-16072001>...=20
etc.</SPAN></FONT></FONT></SPAN></FONT></FONT></DIV>
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2><SPAN =
class=3D660085211-16072001><FONT=20
size=3D2>
<DIV>Thanks all for help and suggestions</DIV>
<DIV></FONT></SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20
class=3D660085211-16072001></SPAN></FONT>&nbsp;</DIV><FONT face=3DArial>
<DIV><FONT color=3D#800080 face=3DVerdana size=3D2><SPAN=20
class=3D132162108-14032001>Sabrina LAUTIER</SPAN></FONT></DIV></FONT>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Original Post</FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DArial>&gt; Hello<SPAN=20
class=3D660085211-16072001>,</SPAN></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT face=3DArial>
<DIV><FONT size=3D2><SPAN class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt; </SPAN>A developer team is working on a =
java=20
application that needs to bind to port 67 (we absolutely can't change =
it&nbsp;as=20
it's&nbsp;constructor depend).</SPAN></FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt; </SPAN>I know that only root can bind to =
port=20
number lower than 1024&nbsp;but I don't want anybody in the =
developer&nbsp;team=20
to know the root password !!</SPAN></FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt; </SPAN>In other words: how&nbsp;<SPAN=20
class=3D784561110-12072001>can this&nbsp;</SPAN>prg&nbsp;<SPAN=20
class=3D784561110-12072001>r</SPAN><SPAN class=3D784561110-12072001>un =
</SPAN>as=20
root without&nbsp;<SPAN class=3D784561110-12072001>launching it as =
</SPAN>root=20
?</SPAN></FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt; </SPAN>Can 'sudo' or 'SUID bit' solve =
the=20
problem&nbsp;given that&nbsp;this is a java program =
??</SPAN></FONT></DIV>
<DIV><SPAN class=3D682313915-11072001></SPAN><FONT =
size=3D2>&nbsp;</FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt; </SPAN>The starting script looks=20
like:</SPAN></FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt;=20
</SPAN>****************************************</SPAN></FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DCourier><SPAN =
class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt;=20
</SPAN>#!/usr/local/bin/bash</SPAN></FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><FONT face=3DCourier><SPAN =
class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt;=20
</SPAN>CLASSPATH=3D/export/projects/toto/totoBackend/Sources:/export/proj=
ects/toto/totoBackend/Libraries/xerces.jar...</SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DCourier><SPAN =
class=3D682313915-11072001><SPAN=20
class=3D660085211-16072001>&gt; </SPAN>export CLASSPATH<BR><SPAN=20
class=3D660085211-16072001>&gt; </SPAN><STRONG>java=20
com.imaginebroadband.BackendStarter</STRONG></SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D2><SPAN class=3D682313915-11072001><SPAN=20
class=3D682313915-11072001><SPAN class=3D660085211-16072001>&gt;=20
</SPAN>****************************************</SPAN></SPAN></FONT></DIV=
></FONT></FONT></DIV></BODY></HTML>

------=_NextPart_000_0006_01C10E05.FE74B010--
Received on Mon Jul 16 13:45:44 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:59 EDT