使用Java分叉特权 [英] Fork and drop privileges with Java
问题描述
我正在用Java编写一个服务器程序,允许用户使用DRMAA提交作业。虽然主服务器进程以 root 运行,但它所做的只是对用户进行身份验证,然后启动另一个以该用户身份运行的Java程序并实际完成工作以符合最小化特权的原则。最初,我使用 Runtime.exec()和 sudo (下面的示例)这样做,直到该过程正常被诅咒,此时 sudo 因为没有终端而感到沮丧。
I'm writing a server program in Java that will allow users to submit jobs using DRMAA. Although the main server process runs as root, all it does is authenticate the user, then start another Java program which runs as that user and actually does the work in order to comply with the principle of minimising privileges. Initially, I was doing this with Runtime.exec() and sudo (example below) which works fine until the process is dæmonised, at which point sudo gets upset because it doesn't have a terminal.
String[] command = {"sudo", "-i", "-u", username, java, theOtherJavaProgram};
Runtime.getRuntime().exec(command, null, getHomeDirectory(username));
作为守护进程运行时,在Java中执行此分支特权模式的最佳方法是什么?有办法吗?我是否必须打破C并学习如何使用JNI创建JVM?
What's the best way to do this fork and drop privileges pattern in Java when running as a daemon? Is there a way? Am I going to have to break out the C and learn how to create JVMs with JNI?
推荐答案
您可以使用 su(1)而不是 sudo(8)。 su(1)的参与程度要低得多,而且可能不会想要终端本身。 (当然,如果您的PAM配置需要 su(1)的终端输入,那么这可能也无法正常工作。)
You could use su(1) instead of sudo(8). su(1) is much less involved, and probably won't want the terminal itself. (Of course, if your PAM configuration requires terminal input for su(1), then this might not work well either.)
这篇关于使用Java分叉特权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
