Running sudo from a servlet

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Running sudo from a servlet

Claude Brisson
Hi all.

I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04).
Tomcat was installed by apt-get and runs as a service.

If I open a shell as the tomcat8 user, I can launch a Java program which
successfully executes a sudo command in a sub-process.

But from a Java servlet, the code fails with this error from the sudo
executable:

     sudo: effective uid is not 0, is /usr/bin/sudo on a file system
with the 'nosuid' option set or an NFS file system without root privileges?

which means that somehow, the tomcat process was unable or unwilling to
honor the setuid flag of the sudo command.

Is it a special security measure ?

If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service
packaging? In systemd config?

And is there any configuration option to relax it?

Thanks,

   Claude



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running sudo from a servlet

Claude Brisson
(responding to myself)

The culprit is the option

     NoNewPrivileges=true

in the file /etc/systemd/system/multi-user.target.wants/tomcat8.service

When changed to false, one must also call 'systemctl daemon-reload' and
after a tomcat restart, the problem is solved.


   Claude

On 21/05/2019 19:52, Claude Brisson wrote:

> Hi all.
>
> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04).
> Tomcat was installed by apt-get and runs as a service.
>
> If I open a shell as the tomcat8 user, I can launch a Java program
> which successfully executes a sudo command in a sub-process.
>
> But from a Java servlet, the code fails with this error from the sudo
> executable:
>
>     sudo: effective uid is not 0, is /usr/bin/sudo on a file system
> with the 'nosuid' option set or an NFS file system without root
> privileges?
>
> which means that somehow, the tomcat process was unable or unwilling
> to honor the setuid flag of the sudo command.
>
> Is it a special security measure ?
>
> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service
> packaging? In systemd config?
>
> And is there any configuration option to relax it?
>
> Thanks,
>
>   Claude
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running sudo from a servlet

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Claude,

On 5/21/19 14:20, Claude Brisson wrote:

> (responding to myself)
>
> The culprit is the option
>
> NoNewPrivileges=true
>
> in the file
> /etc/systemd/system/multi-user.target.wants/tomcat8.service
>
> When changed to false, one must also call 'systemctl daemon-reload'
> and after a tomcat restart, the problem is solved.

I'd seriously consider whether or not you want to actually do this.

It might be better to write a tiny daemon which has elevated
privileges to perform whatever operation you want and have your web
application ping it to do some work, rather than making the whole
Tomcat process able to elevate its privileges.

At least lock-down the sudo command so that only that exact necessary
command is possible.

- -chris

> On 21/05/2019 19:52, Claude Brisson wrote:
>> Hi all.
>>
>> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu
>> 19.04). Tomcat was installed by apt-get and runs as a service.
>>
>> If I open a shell as the tomcat8 user, I can launch a Java
>> program which successfully executes a sudo command in a
>> sub-process.
>>
>> But from a Java servlet, the code fails with this error from the
>> sudo executable:
>>
>> sudo: effective uid is not 0, is /usr/bin/sudo on a file system
>> with the 'nosuid' option set or an NFS file system without root
>> privileges?
>>
>> which means that somehow, the tomcat process was unable or
>> unwilling to honor the setuid flag of the sudo command.
>>
>> Is it a special security measure ?
>>
>> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8
>> service packaging? In systemd config?
>>
>> And is there any configuration option to relax it?
>>
>> Thanks,
>>
>> Claude
>>
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzleWwACgkQHPApP6U8
pFihng/+IdTMdCmN1Bk8gA8BvBma9/IF5/wxwlSOnfMf63fxoMuwArrhCJ8LdqLD
M5S1A94d9Cj+kjwRHCU0yX18j9ZcnEfB6Lvu5GTsnNEyWSeLT4xbxF10DlSB8qCs
qjUPJFoG+6DQNvExZwBOAMkiwFq5AB8gsQjUxTnrqly622n+3/6BB/jMEAFbH5U8
2BbUu2aMpbjJODHQ15uNdAZrEX0xGqA5vGLOgsVmGizRGFZaFOnvP0rzh2sJdGUA
uvJzOxMScZV9dl7xVd9eQ8lOAffpAX2xZWESFEikpPjQJ3K/7CVHu0Hxrxzdkvw/
NDEVxSw05k2DeNSfeoqKGv7jU8SWhjMchJkB8FRArSJnyYy4YT+Bd1BwSO82FG1A
HOGXxgVSCyWHZn7aQySC4DN0ywHedSIBP4sjrjUwwrIgHEDRcSLf8xr/pR5GsZLy
b8grRHHjAryQbEzL5F5398B3AfBxK51jyoT/nIeFqvyIcCv5fF/galDOpNzc/kGK
rAFiB6t4RKQJhkGuuos3S7mE7/piL1d04N8jHlChBpYagYTm+Raf8eAPMBsH1PnD
FIJEz2YsKtA1SDlJmD5Yrv9IGhLPNkt/VIm+KtEgwEjdHWFKpclVJKiYVXVXiGyY
2Y9Att8O2rW+1pk3kHTszHwGXJCba0hF3Jc9ay/V1dOePPx8h9Y=
=1994
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running sudo from a servlet

Olaf Kock

On 22.05.19 18:31, Christopher Schultz wrote:

> Claude,
>
> On 5/21/19 14:20, Claude Brisson wrote:
> > (responding to myself)
>
> > The culprit is the option
>
> > NoNewPrivileges=true
>
> > in the file
> > /etc/systemd/system/multi-user.target.wants/tomcat8.service
>
> > When changed to false, one must also call 'systemctl daemon-reload'
> > and after a tomcat restart, the problem is solved.
>
> I'd seriously consider whether or not you want to actually do this.
>
> It might be better to write a tiny daemon which has elevated
> privileges to perform whatever operation you want and have your web
> application ping it to do some work, rather than making the whole
> Tomcat process able to elevate its privileges.


Seconding this. Running a web-facing daemon with the option of executing
system commands as root is a recipe for disaster. Don't even think of
going there.

There might be rare occasions where there's a good reason for this
architecture, but the keyword here is "rare". It'll need a *very* good
reason. And "how do I enable sudo?" isn't one.

You have been warned, and so has everyone else finding this thread in
future with the intend of making the same architectural decision.

On stackoverflow, this is called the x-y problem
(https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem).
I'd recommend reading a few of those answers and reconsider the
question, to come up with the X instead of the Y.


Olaf




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running sudo from a servlet

Claude Brisson
You are right about your security concerns. I feel obliged to state that
my use-case is perfectly valid and secure, the tomcat instance runs in a
VPN and the sudoers file is properly configured to only allow access to
a single user and a single command.

Anyhow it's the kind of area where you better know what you're doing.

   Claude


On 23/05/2019 11:55, Olaf Kock wrote:

>
>> I'd seriously consider whether or not you want to actually do this.
>>
>> It might be better to write a tiny daemon which has elevated
>> privileges to perform whatever operation you want and have your web
>> application ping it to do some work, rather than making the whole
>> Tomcat process able to elevate its privileges.
>
> Seconding this. Running a web-facing daemon with the option of executing
> system commands as root is a recipe for disaster. Don't even think of
> going there.
>
> There might be rare occasions where there's a good reason for this
> architecture, but the keyword here is "rare". It'll need a *very* good
> reason. And "how do I enable sudo?" isn't one.
>
> You have been warned, and so has everyone else finding this thread in
> future with the intend of making the same architectural decision.
>
> On stackoverflow, this is called the x-y problem
> (https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem).
> I'd recommend reading a few of those answers and reconsider the
> question, to come up with the X instead of the Y.
>
>
> Olaf
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running sudo from a servlet

George S.
In reply to this post by Claude Brisson
A better way to do this would be to setup something like xinetd
listening on a socket and use a connection to the socket to trigger the
execution. You can write a configuration/parameters file in a location.

Just a point: when you use runtime.exec on Linux, it does a fork of the
process. That DOUBLES your process space memory. IOW, if tomcat's
running with 4GB of memory, when you do a runtime.exec, that's going to
double your memory usage to 8GB while the process runs. If you're not
planning for this, it can be a nasty shock.


On 5/21/2019 11:52 AM, Claude Brisson wrote:

> Hi all.
>
> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu 19.04).
> Tomcat was installed by apt-get and runs as a service.
>
> If I open a shell as the tomcat8 user, I can launch a Java program
> which successfully executes a sudo command in a sub-process.
>
> But from a Java servlet, the code fails with this error from the sudo
> executable:
>
>     sudo: effective uid is not 0, is /usr/bin/sudo on a file system
> with the 'nosuid' option set or an NFS file system without root
> privileges?
>
> which means that somehow, the tomcat process was unable or unwilling
> to honor the setuid flag of the sudo command.
>
> Is it a special security measure ?
>
> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 service
> packaging? In systemd config?
>
> And is there any configuration option to relax it?
>
> Thanks,
>
>   Claude
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
Reply | Threaded
Open this post in threaded view
|

Re: [OT] Running sudo from a servlet

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

George,

On 5/25/19 12:44, George S. wrote:

> A better way to do this would be to setup something like xinetd
> listening on a socket and use a connection to the socket to trigger
> the execution. You can write a configuration/parameters file in a
> location.
>
> Just a point: when you use runtime.exec on Linux, it does a fork of
> the process. That DOUBLES your process space memory. IOW, if
> tomcat's running with 4GB of memory, when you do a runtime.exec,
> that's going to double your memory usage to 8GB while the process
> runs. If you're not planning for this, it can be a nasty shock.

On most modern OSs, this does not actually happen. The kernel performs
a process-clone during the fork() but shares the memory between the
two processes. An immediate exec() in the child process discards
almost the entire process memory and so no real work is actually done.

This optimization was done long ago since nearly every fork() call is
immediately followed by exec() and so actually duplicating the whole
process's memory is a waste. The OS usually implements copy-on-write
(CoW) process-memory semantics such that child processes that actually
do not call exec() can benefit from that same optimization and not
interfere with the parent process. Of course, this reduces main-memory
usage as well in those cases.

So I'll bet if you profile a Runtime.exec() call, you'll find that the
OS does not actually allocate and duplicate a multi-gigabyte heap into
a child process which ends up executing a "ping" command or whatever.

- -chris

> On 5/21/2019 11:52 AM, Claude Brisson wrote:
>> Hi all.
>>
>> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu
>> 19.04). Tomcat was installed by apt-get and runs as a service.
>>
>> If I open a shell as the tomcat8 user, I can launch a Java
>> program which successfully executes a sudo command in a
>> sub-process.
>>
>> But from a Java servlet, the code fails with this error from the
>> sudo executable:
>>
>> sudo: effective uid is not 0, is /usr/bin/sudo on a file system
>> with the 'nosuid' option set or an NFS file system without root
>> privileges?
>>
>> which means that somehow, the tomcat process was unable or
>> unwilling to honor the setuid flag of the sudo command.
>>
>> Is it a special security measure ?
>>
>> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8
>> service packaging? In systemd config?
>>
>> And is there any configuration option to relax it?
>>
>> Thanks,
>>
>> Claude
>>
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzqj3sACgkQHPApP6U8
pFjh/A//ZLLHhVjqgSCiV8heOlp0wslfqpfhwVhAXXiEulXw67UUsBvSNoYkz/OG
UmrR3nVez5y8Xsc8Ed2ADGyfLRB8ZWE4ooNVNqcf3l8KYuNB4WAshAUnK4CJb//c
u3IuOqNMslr6Ca22TF3GEq1GY+/A7FPECotkIHxs9SKeqODxZ3MJsJOi0aKtBKBO
aeUbs5bOrg371hddRdvOi3wRc2+zGv/iYgfYMllVZK5ZGQb/f+VH+pUG+mUIpX9U
VdZyiPD4cE2eegW9EzKwQN8054o4dosUWZVjo3xuxyO41wQUyCV74di6bdMqQqIw
KbSx1IWH03zz8vwwIxVVDGcoTxBHVcEncV1F84NmZahWLCb61XRU72c3y8XZcLQJ
nWgOrp6Ctb31JkPBuSdkkYFO4f7jnRjbPT3aFJe8gwQcy23mpG0r70DsRuzxe2O3
uATmKHtW7r7xsqO6ObsxYeTh2fiB8bSxxtoUcgfn9liNSm5CFI+Qw4oEX/KGUjdA
uu1KN7pqRmEXLlqhyf1+o4hMkDe3UNR//uFNYttGQ7AIYDJ15uG8GzTyYtAw8ycd
pITCbTiU0s5IZB4n9UnrNYoY4r9EoMddUqn1T2q57jYzMUUzF3IwUjETTScqgHn3
klr/zk7++tII/ae56DS5Ol2Lb4eUL/pUJwogA9a0ZAwt3RClmnI=
=o3Eq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]