dcsimg
user privileges and the "nobody" user
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Becky_Givner
Posted On:   Wednesday, April 4, 2001 11:48 AM

I have a Java servlet that uploads files using multipart requests, where the user submits the file through a HTML form. When I do a directory listing, the group and owner of the file is "nobody" Why is it "nobody", and is there a way to control the group or owner when the servlet does the file upload? A related question that I posted on this forum is about how to edit the crontab file for a specific user. I was using Runtime.getRuntime.exec() to execute the following from a servlet: crontab -u The command was executed without IOException being thrown. However, the crontab was not updated, so    More>>

I have a Java servlet that uploads files using multipart requests, where the user submits the file through a HTML form.



When I do a directory listing, the group and owner of the file is "nobody"



Why is it "nobody", and is there a way to control the group or owner when the servlet does the file upload?







A related question that I posted on this forum is about how to edit the crontab file for a specific user.



I was using Runtime.getRuntime.exec() to execute the following from a servlet:




crontab -u



The command was executed without IOException being thrown.

However, the crontab was not updated, so I imagine that the servlet/"user" did not have privileges to edit other users' crontab files.



Do I need to first login as the superuser before I can execute the command?    <<Less

Re: user privileges and the &quot;nobody&quot; user

Posted By:   Nathan_Meyers  
Posted On:   Wednesday, April 4, 2001 02:05 PM

The process running your servlet engine is the one that
matters here - your own login is irrelevant, because you're
not the one running code, the servlet engine is. Evidently,
your servlet engine is being run by user nobody, which
is a pretty common way to keep servlets from being able
to do damage.

So how do you get your servlets to violate security
rules for Unix and Linux? You can't; you'll need to make
some other arrangement. Here are some possibilities:



  • Run the servlet engine as root. This is dangerous.

  • Create some external programs or scripts that have
    setuid privileges, and invoke those programs with
    Runtime.exec() calls. Depending on what those programs
    do, this could be pretty dangerous also.

  • Write an external setuid program that works like
    "su" - taking a username and a password that you'd
    collect from the user - and executing the requested command
    if the username and password are good. The "su" program
    is not an exact fit, because it expects you to type a password
    in on a tty, but something based on "su" would do the trick.


What these all have in common is that some code
needs to run, at least temporarily, with extraordinary privileges -
so you can't do this on a system with an uncooperative
sysop. But that's the nature of security in a real OS
like Linux - you don't give everyone the power to
do damage.

About | Sitemap | Contact