You are right about your security concerns. I feel obliged to state that
my use-case is perfectly valid and secure, the tomcat instance runs in a
VPN and the sudoers file is properly configured to only allow access to
a single user and a single command.
Anyhow it's the kind of area where you better know what you're doing.
Claude
On 23/05/2019 11:55, Olaf Kock wrote:
I'd seriously consider whether or not you want to actually do this.
It might be better to write a tiny daemon which has elevated
privileges to perform whatever operation you want and have your web
application ping it to do some work, rather than making the whole
Tomcat process able to elevate its privileges.
Seconding this. Running a web-facing daemon with the option of executing
system commands as root is a recipe for disaster. Don't even think of
going there.
There might be rare occasions where there's a good reason for this
architecture, but the keyword here is "rare". It'll need a *very* good
reason. And "how do I enable sudo?" isn't one.
You have been warned, and so has everyone else finding this thread in
future with the intend of making the same architectural decision.
On stackoverflow, this is called the x-y problem
(https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem).
I'd recommend reading a few of those answers and reconsider the
question, to come up with the X instead of the Y.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
