1 //========================================================================
2 //Copyright 2004-2008 Mort Bay Consulting Pty. Ltd.
3 //------------------------------------------------------------------------
4 //Licensed under the Apache License, Version 2.0 (the "License");
5 //you may not use this file except in compliance with the License.
6 //You may obtain a copy of the License at
7 //http://www.apache.org/licenses/LICENSE-2.0
8 //Unless required by applicable law or agreed to in writing, software
9 //distributed under the License is distributed on an "AS IS" BASIS,
10 //WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 //See the License for the specific language governing permissions and
12 //limitations under the License.
13 //========================================================================
14
15 package org.mortbay.setuid;
16
17 import org.mortbay.jetty.Connector;
18 import org.mortbay.jetty.Server;
19 import org.mortbay.log.Log;
20
21 /**
22 * This extension of {@link Server} will make a JNI call to set the unix UID.
23 *
24 * This can be used to start the server as root so that privileged ports may
25 * be accessed and then switch to a non-root user for security.
26 * Depending on the value of {@link #setStartServerAsPrivileged(boolean)}, either the
27 * server will be started and then the UID set; or the {@link Server#getConnectors()} will be
28 * opened with a call to {@link Connector#open()}, the UID set and then the server is started.
29 * The later is the default and avoids any webapplication code being run as a privileged user,
30 * but will not work if the application code also needs to open privileged ports.
31 *
32 *<p>
33 * The configured umask is set before the server is started and the configured
34 * uid is set after the server is started.
35 * </p>
36 * @author gregw
37 *
38 */
39 public class SetUIDServer extends Server
40 {
41 private int _uid=0;
42 private int _gid=0;
43 private int _umask=0;
44 private boolean _startServerAsPrivileged;
45
46 public void setUsername(String username)
47 {
48 Passwd passwd = SetUID.getpwnam(username);
49 _uid = passwd.getPwUid();
50 }
51
52 public String getUsername()
53 {
54 Passwd passwd = SetUID.getpwuid(_uid);
55 return passwd.getPwName();
56 }
57
58 public void setGroupname(String groupname)
59 {
60 Group group = SetUID.getgrnam(groupname);
61 _gid = group.getGrGid();
62 }
63
64 public String getGroupname()
65 {
66 Group group = SetUID.getgrgid(_gid);
67 return group.getGrName();
68 }
69
70
71 public int getUmask ()
72 {
73 return _umask;
74 }
75
76 public void setUmask(int umask)
77 {
78 _umask=umask;
79 }
80
81 public int getUid()
82 {
83 return _uid;
84 }
85
86 public void setUid(int uid)
87 {
88 _uid=uid;
89 }
90
91 public void setGid(int gid)
92 {
93 _gid=gid;
94 }
95
96 public int getGid()
97 {
98 return _gid;
99 }
100
101 protected void doStart() throws Exception
102 {
103 if (_umask!=0)
104 {
105 Log.info("Setting umask=0"+Integer.toString(_umask,8));
106 SetUID.setumask(_umask);
107 }
108
109 if (_startServerAsPrivileged)
110 {
111 super.doStart();
112 if (_gid!=0)
113 {
114 Log.info("Setting GID="+_gid);
115 SetUID.setgid(_gid);
116 }
117 if (_uid!=0)
118 {
119 Log.info("Setting UID="+_uid);
120 SetUID.setuid(_uid);
121 }
122 }
123 else
124 {
125 Connector[] connectors = getConnectors();
126 for (int i=0;connectors!=null && i<connectors.length;i++)
127 connectors[i].open();
128 if (_gid!=0)
129 {
130 Log.info("Setting GID="+_gid);
131 SetUID.setgid(_gid);
132 }
133 if (_uid!=0)
134 {
135 Log.info("Setting UID="+_uid);
136 SetUID.setuid(_uid);
137 }
138 super.doStart();
139 }
140 }
141
142 /* ------------------------------------------------------------ */
143 /**
144 * @return the startServerAsPrivileged
145 */
146 public boolean isStartServerAsPrivileged()
147 {
148 return _startServerAsPrivileged;
149 }
150
151 /* ------------------------------------------------------------ */
152 /**
153 * @see {@link Connector#open()}
154 * @param startServerAsPrivileged if true, the server is started and then the process UID is switched. If false, the connectors are opened, the UID is switched and then the server is started.
155 */
156 public void setStartServerAsPrivileged(boolean startContextsAsPrivileged)
157 {
158 _startServerAsPrivileged=startContextsAsPrivileged;
159 }
160
161 }