[PJUG Javamail] ICMP Echo in Java

David H Elrod dhelrod at rivendell.com
Sun Jun 7 12:07:13 EDT 2009 

Vincent,

I recently wanted to run Tomcat as the "tomcat" user on Solaris,
but I wanted it to be able to open ports 80 and 443 (for normal HTTP
and HTTPS connections).

Solaris 10 (and maybe 9) have per-process privileges for a variety
of actions, including network access.

I wrote a wrapper program, in C, that:
1) started out setuid-root.
2) granted itself the Solaris privilege to do network stuff,
3) changed its uid/euid/saved-uid to the tomcat user
4) exec'ed the JVM and tomcat.

The wrapper worked great!  

Tomcat runs in a JVM that has permission to open "secure" ports
(those less than 1000) and perform other network related tasks.
However, the JVM did not have to get set to have this privilege.

I read that it was possible to set these permissions for scripts and
such using some configuration files, but I couldn't figure out how
to do that, so I wrote the wrapper program.

Maybe your Solaris savy sys-admin folks can give your JVM just
network access privileges, or you could write a simple wrapper
like I did.

David



> Dear All:
>
> I have written a Java program that performs various duties.  One of 
> them is to use InetAddress.isReachable() to
> ping remote IPs. 
>
> We have a portion of our network that is very secure.  When I test my 
> program,
> I had it on run on a Linux box and a Solaris box.  Both of them are 
> *NOT* part of this secure network and the program works fine.
> When I placed the program under a Solaris box that is part of that 
> very secure network, ALL IPs (even bogus ones) are reported to be
> up by that method.  I then discovered that I lack some sort of 
> permission (to some port on the network) to truly perform an ICMP echo.
> The Solaris ping program is setuid to root which fixes this problem. 
>    If I make the java executable setuid to root, all other java 
> programs will have root privilege during runtime which will make a lot 
> of people unhappy (e.g. sys admins).  I have tried doing 
> Runtime.exec() and called the local Solaris ping but the performance 
> is very poor (which is understandable). 
>
> Does anyone know what port(s) should be opened for this isReachable() 
> to function properly?  I can convince the sys admins to open up just 
> those ports much easier than convincing them to setuid java to root.   
> I am also open to other suggestions.
>
> Thanks in advance for any tips.
>
> --Vincent
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Web Site - http://www.pjug.org/
> Javamail mailing list
> Javamail at pjug.org
> http://www.pjug.org/mailman/listinfo/javamail
>

More information about the Javamail mailing list