-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Claude,
On 5/21/19 14:20, Claude Brisson wrote: > (responding to myself) > > The culprit is the option > > NoNewPrivileges=true > > in the file > /etc/systemd/system/multi-user.target.wants/tomcat8.service > > When changed to false, one must also call 'systemctl daemon-reload' > and after a tomcat restart, the problem is solved. I'd seriously consider whether or not you want to actually do this. It might be better to write a tiny daemon which has elevated privileges to perform whatever operation you want and have your web application ping it to do some work, rather than making the whole Tomcat process able to elevate its privileges. At least lock-down the sudo command so that only that exact necessary command is possible. - -chris > On 21/05/2019 19:52, Claude Brisson wrote: >> Hi all. >> >> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu >> 19.04). Tomcat was installed by apt-get and runs as a service. >> >> If I open a shell as the tomcat8 user, I can launch a Java >> program which successfully executes a sudo command in a >> sub-process. >> >> But from a Java servlet, the code fails with this error from the >> sudo executable: >> >> sudo: effective uid is not 0, is /usr/bin/sudo on a file system >> with the 'nosuid' option set or an NFS file system without root >> privileges? >> >> which means that somehow, the tomcat process was unable or >> unwilling to honor the setuid flag of the sudo command. >> >> Is it a special security measure ? >> >> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 >> service packaging? In systemd config? >> >> And is there any configuration option to relax it? >> >> Thanks, >> >> Claude >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzleWwACgkQHPApP6U8 pFihng/+IdTMdCmN1Bk8gA8BvBma9/IF5/wxwlSOnfMf63fxoMuwArrhCJ8LdqLD M5S1A94d9Cj+kjwRHCU0yX18j9ZcnEfB6Lvu5GTsnNEyWSeLT4xbxF10DlSB8qCs qjUPJFoG+6DQNvExZwBOAMkiwFq5AB8gsQjUxTnrqly622n+3/6BB/jMEAFbH5U8 2BbUu2aMpbjJODHQ15uNdAZrEX0xGqA5vGLOgsVmGizRGFZaFOnvP0rzh2sJdGUA uvJzOxMScZV9dl7xVd9eQ8lOAffpAX2xZWESFEikpPjQJ3K/7CVHu0Hxrxzdkvw/ NDEVxSw05k2DeNSfeoqKGv7jU8SWhjMchJkB8FRArSJnyYy4YT+Bd1BwSO82FG1A HOGXxgVSCyWHZn7aQySC4DN0ywHedSIBP4sjrjUwwrIgHEDRcSLf8xr/pR5GsZLy b8grRHHjAryQbEzL5F5398B3AfBxK51jyoT/nIeFqvyIcCv5fF/galDOpNzc/kGK rAFiB6t4RKQJhkGuuos3S7mE7/piL1d04N8jHlChBpYagYTm+Raf8eAPMBsH1PnD FIJEz2YsKtA1SDlJmD5Yrv9IGhLPNkt/VIm+KtEgwEjdHWFKpclVJKiYVXVXiGyY 2Y9Att8O2rW+1pk3kHTszHwGXJCba0hF3Jc9ay/V1dOePPx8h9Y= =1994 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
