Wednesday, April 4, 2001 02:05 PM
The process running your servlet engine is the one that
matters here - your own login is irrelevant, because you're
not the one running code, the servlet engine is. Evidently,
your servlet engine is being run by user nobody, which
is a pretty common way to keep servlets from being able
to do damage.
So how do you get your servlets to violate security
rules for Unix and Linux? You can't; you'll need to make
some other arrangement. Here are some possibilities:
- Run the servlet engine as root. This is dangerous.
- Create some external programs or scripts that have
setuid privileges, and invoke those programs with
Runtime.exec() calls. Depending on what those programs
do, this could be pretty dangerous also.
- Write an external setuid program that works like
"su" - taking a username and a password that you'd
collect from the user - and executing the requested command
if the username and password are good. The "su" program
is not an exact fit, because it expects you to type a password
in on a tty, but something based on "su" would do the trick.
What these all have in common is that some code
needs to run, at least temporarily, with extraordinary privileges -
so you can't do this on a system with an uncooperative
sysop. But that's the nature of security in a real OS
like Linux - you don't give everyone the power to