User privileges and user ID for servlets

Nathan Meyers

Answer by Nathan Meyers Re: user privileges and the "nobody" user The process running your servlet engine is the one that matters here - your own login is irrelevant, because you're not the one running code, the servlet engine is. Evidently, your servlet engine is being run by user nobody, which is a pretty common way to keep servlets from being able to do damage.

So how do you get your servlets to violate security rules for Unix and Linux? You can't; you'll need to make some other arrangement. Here are some possibilities:

  • Run the servlet engine as root. This is dangerous.
  • Create some external programs or scripts that have setuid privileges, and invoke those programs with Runtime.exec() calls. Depending on what those programs do, this could be pretty dangerous also.
  • Write an external setuid program that works like "su" - taking a username and a password that you'd collect from the user - and executing the requested command if the username and password are good. The "su" program is not an exact fit, because it expects you to type a password in on a tty, but something based on "su" would do the trick.

What these all have in common is that some code needs to run, at least temporarily, with extraordinary privileges - so you can't do this on a system with an uncooperative sysop. But that's the nature of security in a real OS like Linux - you don't give everyone the power to do damage.