-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 George,
On 5/25/19 12:44, George S. wrote: > A better way to do this would be to setup something like xinetd > listening on a socket and use a connection to the socket to trigger > the execution. You can write a configuration/parameters file in a > location. > > Just a point: when you use runtime.exec on Linux, it does a fork of > the process. That DOUBLES your process space memory. IOW, if > tomcat's running with 4GB of memory, when you do a runtime.exec, > that's going to double your memory usage to 8GB while the process > runs. If you're not planning for this, it can be a nasty shock. On most modern OSs, this does not actually happen. The kernel performs a process-clone during the fork() but shares the memory between the two processes. An immediate exec() in the child process discards almost the entire process memory and so no real work is actually done. This optimization was done long ago since nearly every fork() call is immediately followed by exec() and so actually duplicating the whole process's memory is a waste. The OS usually implements copy-on-write (CoW) process-memory semantics such that child processes that actually do not call exec() can benefit from that same optimization and not interfere with the parent process. Of course, this reduces main-memory usage as well in those cases. So I'll bet if you profile a Runtime.exec() call, you'll find that the OS does not actually allocate and duplicate a multi-gigabyte heap into a child process which ends up executing a "ping" command or whatever. - -chris > On 5/21/2019 11:52 AM, Claude Brisson wrote: >> Hi all. >> >> I use tomcat 8.5.39 and java oracle 1.8.0_191 on linux (ubuntu >> 19.04). Tomcat was installed by apt-get and runs as a service. >> >> If I open a shell as the tomcat8 user, I can launch a Java >> program which successfully executes a sudo command in a >> sub-process. >> >> But from a Java servlet, the code fails with this error from the >> sudo executable: >> >> sudo: effective uid is not 0, is /usr/bin/sudo on a file system >> with the 'nosuid' option set or an NFS file system without root >> privileges? >> >> which means that somehow, the tomcat process was unable or >> unwilling to honor the setuid flag of the sudo command. >> >> Is it a special security measure ? >> >> If yes, is it set in tomcat ? in the JVM ? In Ubuntu's tomcat8 >> service packaging? In systemd config? >> >> And is there any configuration option to relax it? >> >> Thanks, >> >> Claude >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzqj3sACgkQHPApP6U8 pFjh/A//ZLLHhVjqgSCiV8heOlp0wslfqpfhwVhAXXiEulXw67UUsBvSNoYkz/OG UmrR3nVez5y8Xsc8Ed2ADGyfLRB8ZWE4ooNVNqcf3l8KYuNB4WAshAUnK4CJb//c u3IuOqNMslr6Ca22TF3GEq1GY+/A7FPECotkIHxs9SKeqODxZ3MJsJOi0aKtBKBO aeUbs5bOrg371hddRdvOi3wRc2+zGv/iYgfYMllVZK5ZGQb/f+VH+pUG+mUIpX9U VdZyiPD4cE2eegW9EzKwQN8054o4dosUWZVjo3xuxyO41wQUyCV74di6bdMqQqIw KbSx1IWH03zz8vwwIxVVDGcoTxBHVcEncV1F84NmZahWLCb61XRU72c3y8XZcLQJ nWgOrp6Ctb31JkPBuSdkkYFO4f7jnRjbPT3aFJe8gwQcy23mpG0r70DsRuzxe2O3 uATmKHtW7r7xsqO6ObsxYeTh2fiB8bSxxtoUcgfn9liNSm5CFI+Qw4oEX/KGUjdA uu1KN7pqRmEXLlqhyf1+o4hMkDe3UNR//uFNYttGQ7AIYDJ15uG8GzTyYtAw8ycd pITCbTiU0s5IZB4n9UnrNYoY4r9EoMddUqn1T2q57jYzMUUzF3IwUjETTScqgHn3 klr/zk7++tII/ae56DS5Ol2Lb4eUL/pUJwogA9a0ZAwt3RClmnI= =o3Eq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
