giving sudo privliges to run *specific* java application
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
giving sudo privliges to run *specific* java application
I've nearly finished setting up the deployment image for a new application weve been developing. Our java program is installed and should run as root at startup. I created a user to run the application and was originally planing to give him limited sudo access to run the app. However, sense the program is a java program I would have to give sudo access to the java command. That would mean that if anyone wrote a java application with say a chmod 777 system call in it they could run it with sudo and gain access to anything on the box. Is their a way I can specify that a user has permission to run *only* my application as root but no other java apps?
I'm looking for something quick and easy to do. My peers have all decided to leave the security hole in there sense it is nearly impossible to even get to the physical box and very little profit (or harm) to be gained out of gaining root access. Still I would feel better knowing I did things the proper way...if I knew what that was.
ty for the answer I will try that when I can get some free time with the box.
Now I don't want to place the entire java command in the sudoers file, sense the classpath argument is long and could change durng development. I'm thinking the correct syntax I would use to allow modification of the classpath is along the lines of
ALL=java -cp [! ]* main.IIUMain
but i'm not ceratin sense the page you linked isn't specific on syntax for regular expressions. Does allowing someone to modify the classpath still provide a security hole if they can place a file they created in the classpath? It would depend on when/how java includes libraries from a classpath and I don't know that without looking up some documentation.
Actually on a related note my original attempt was to give sudo privileges to run a script; with the script running the application. i then had in the .bash_profile for my user a line that sudo'ed the script file locate in etc/init.d. This seemed to work when tested manually, but when I tried it with the user being auto logged in the auto login would fail, I would have to log in manually, and my tiny window manager wouldn't open because display 0 was locked. if I knew how to avoid that problem I could go back to using a bootup script
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.