Set the effective user ID of the Java process.

[Jonathan Yu]

On Mon, Sep 11, 2017 at 5:31 AM, Dmitrii Kashin <freehck at freehck.ru> wrote:

>
> I'd like to add to the conversation that this thread was started because
> of the argue here[1] (russian).
>
> The main point of the argue was dropping privileges from root to some
> user after the program performed all the needed actions (f.e. when it
> started listening port < 1024).
>

root isn't needed for binding service ports anymore, you can use setcap:
https://stackoverflow.com/a/414258

>
> We've found an example in commons-daemon code[2] how to drop privileges
> in MS Windows systems. It seems a new Access Token is created for some
> unprivileged user, and then spawns a new process with this token.
>
> I suppose it makes some sense to say about it here: it would be very
> useful to have a possibility to drop privileges to some user. Please
> consider it as a user request.
>
> [1] https://www.opennet.ru/opennews/art.shtml?num=47170#29
> [2] https://github.com/apache/commons-daemon/blob/
> 6702852984689bc6507690113949b478dba157ef/src/native/windows/
> src/rprocess.c#L481
>
> bruno ais <brunoaiss at gmail.com> writes:
>
> > Any idea how it can be done on Windows?
> > Or better yet; is there a cross-platform thing or equivalence of that
> > feature?
> > If not, then that can easily be the reason.
> >
> > On Mon, Sep 11, 2017 at 9:29 AM, DoWhile ForEach <
> dowhileforeach at gmail.com>
> > wrote:
> >
> >> Hello.
> >>
> >> Please explain someone why the Java API has not yet implemented a method
> >> that allows you to set the effective user ID of the Java process.
> >>
> >> To accomplish this simple task, you have to make some workarounds.
> >> A striking example of such workarounds is jsvc tool from the Apache
> >> commons-daemon project for Tomcat server:
> >> https://github.com/apache/commons-daemon/blob/6702852984689b
> >> c6507690113949b478dba157ef/src/native/unix/native/jsvc-unix.c#L163
> >>
>



-- 
Cheers,

Jonathan