I am writing a program in java for an embedded linux platform. One of the OS features I need has to run as root to get access. The platform I am using is the BeagleBone Black and I want to control the Gpio pins using a memory map. I have access to the memory map and can switch the pins on and off at a very fast rate. The problem is, I don't want my program to have to run as super user, at least it doesn't seem right to implement it that way.
Is there a standard technology in linux that will run as root and let a user program make calls to it?
I know there must be, I just don't know what it is. Any help would be appreciated.
What you want to do is to drop privileges. Instead of having any process running as root for the duration, this allows a process to start as root, open resources, and then change to a different, unprivileged user. You'll still need to start the program as root, which can be done with a setuid script so that you don't need the user to be root already to run it. (This is done with other programs, like sudo.)
You can open the file as root, and then change the uid of the program to an unprivileged user (presumably the user that started the program). Take a look at this answer to see how to drop privileges in Java using JNI, and this answer for more information about a robust way to drop privileges in general.
Related
I have a Java application that lives in the system tray that I compile to a executable jar file. I would like to add the option within my program to add to the system startup items.
As I do not know of any uniform way to do this for all operating systems I assumed I would have to write code to do it for each one I intend to support so I started with Windows.
When I attempted to add it to the registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] using the code available here I discovered that under Windows 7 and 8 unless I have administrator privileges (by running from an elevated command prompt) my edits to the registry do not apply.
Then I spent a day trying to figure out how to get the Jar to relaunch itself with admin privileges before I gave up on that hacky workaround.
Can the task I'm trying to achieve even be accomplished and if so how?
For the most part, you're actually looking to add the feature of auto starting on user login, rather than on system startup. For windows, if you add the registry entry under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
This location does not suffer from permissions issues when run as an ordinary user, and has been supported for a long time under Windows (I'm thinking Windows 95 time frame here), so should be a safe change across all systems.
For Linux, assuming that the operating system is following the Open Desktop AutoStart specification, then you need to create the appropriate .desktop file in $HOME/.config/autostart/ and it should autostart on login in that case.
For Mac OS X, you need to create a launch agent plist in $HOME/Library/LaunchAgents. The Daemons and services documentation details how to construct this file.
Working around user privileges is not a good idea. The registry entry is the preferred way to go. Also keep in mind that the jar by itself is not executable, it requires the jvm, so what you might want to do is use a wrapper and register that.
Due to a suite of antivirus and security policies, a java applet I developed for my organization loads very slowly. The problem is not the cache or the applet, but rather it's JVM. When Windows first loads, if I go to command window and enter "java", it will take nearly a minute for the response (the command usage text) to come up. Subsequent commands are responded immediately.
So, one mitigation I can think of is to set all users to run java once as they login. I can either put a shortcut to Start Up folder in the start menu, or create a registry key. If I want this to be as least intrusive as possible (load it in background and in low priority), what's the best way to do this?
Did you consider Windows Task Scheduler and task that starts on windows start-up?
You can add the call to java to the registry, under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx
But what about not using java?
I would like to know, is there out there any library, any, that can make it possible that when i run processes that require the administrator in windows, that window called UAC (User Access Control) pops up.
For example, i want to install my java application in a computer that will be used by multiple users, this program needs to store settings using the Java Preferences API inside windows registry, I can access individual prefs, but i cannot access system prefs from any user account.
Please and please, do not tell me to change the user from standard to administrator, let us just say i am to there where the computer client is and the user knows nothing about changing their account, the system will require elevation per user. Please help and thank you in advance. And if u do not know any library, please don't say it is not possible.
Windows does not let "parts" of an application run as an administrator. Either the entire process runs as an administrator, or the entire process runs as a standard user.
If your standard-rights users need to be able to access something, which by default only Administrators can access, then you have two choices:
1. During install, change permissions on these system-wide settings, so that all users can access them.
You've said that all users should be allowed to modify these Java settings. So you should modify permissions controlling access to these application settings so that all users can modify them. I don't know where Java stores things, but i assume it is in a file somewhere.
2. Create a button to temporarily allow users to modify these settings.
You say that all users should be allowed to modify these machine-wide settings. But i assume you're nervous about actually allowing that. In which case you actually don't want all users to modify these machine-wide settings. That is why you can have your application function most of the time as normal.
But when it comes time to do something that requires administrative access, you can use the Windows function ShellExecuteEx to launch a copy of your application as an administrator by using the runas verb, and passing a command line parameter indicating that the program should jump right to modifying the admin-only stuff:
ShellExecute(0, "MyApp.exe", "runas", "/configureMachineWideStuff")
Then during application startup look for the /configureMachineWideStuff command line switch, and bring the user straight to the spot where they can alter the admin-only stuff.
You can even get fancy, and detect if the user is an administrator or not. And if not, use the Windows API to programatically add the UAC shield icon to your configure button:
SendMessage(button.Handle, BCM_SETSHIELD, 0, 1);
But to answer your question
No, there is no library. What you are asking to do is not possible on any computer running any operating system.
But i strongly urge you to think:
What do you do on Windows XP?
What do you do when the user is a standard user running on Windows XP? What do you want if the UAC is disabled on Windows Vista/7/8/8.1? Is the user simply stuck; unable to run your application? Does it crash horribly when it cannot read the machine-wide values? Who alters the values then?
The UAC is a convenience feature; it's only there to make your user's lives easier. The alternative is that the user must logoff and login as an Administrator.
And since you've said that the only are a standard user, then they don't know the credentials of any administrator.
So you're back to using Option #1: Alter NTFS permissions, or registry permissions, during application install. If Users need Full Control, then give Users the Full Control privileges.
I want to install a monitoring system on a computer (the program is a jar file) and run it on start up every time any user logs on. However, I don't want the user to be able to terminate it since then it won't be able to be monitored any longer.
We have tried several ways:
Installing it as a service - the problem here is that our program doesn't work any longer; it can't connect to the computer that's monitoring it. We used "Yet Another Java Service Wrapper" for this, and looked into some other wrappers as well that could help us install it as a service.
Running the program on start up (using the folder startup), but not giving the basic user the privileges to edit/delete/mess around with the files. However, this seems to slow the whole computer down? This doesn't happen when we run the bat file executing the jar directly. Another issue with this is that the user can just go to the task manager and kill the java process.
We tried a variation of the previous one to solve the issue of the process being killed, by having another process. One will spawn the other and these 2 processes will keep tabs on each other. If one terminates, the other detects it and runs it to start it up again. Although it can have issues if the user is fast enough in killing both processes before either is respawned again, the bigger issue is that it sometimes has problems with connecting to other computers. We didn't have this problem when it was just 1 jar.
Does anyone have any idea on how these problems can be solved?
The context here is windows, but if you have suggestions for linux and mac that would be nice too!
Way to go is to run the program as a service. You should investigate any trouble between your application and your system's firewall. If you have windows firewall activated, you should add an exception for java.exe or javaw.exe.
In order to give elevated privileges to your program, you can set the service to run as another user. You can do this from the "Log on" tab in the service properties.
You'll want to have the program started under a user with elevated permissions. On WIndows this would the the Administrator, linux would use root. On Windows, its likely that you will need to start it as a service. But I really don't know why that would hinder the network communications.
Is it possible to ask for elevated permissions from within a Java Application? Suggestions I've seen seem to all be centered around running an external executable or setting up a manifest to request privileges on launch. These aren't available to, for instance, applets. Is there any way to request elevation from a running application?
UAC is not something that a running process can request (doesn't matter what language you are running in). You have to request elevation at launch time.
The way that most windows apps handle this (and make it look like they are requesting elevation) is to spawn an extra copy of themselves, requesting elevation, and passing sufficient command line arguments to the new process so that the appropriate dialog can be displayed.
This is why UAC elevation in a dialog is always initiated by a button click that opens a new dialog.
So, in the Java world, you just have to do exactly what everyone else has to do: launch your app again, requesting elevation. There are several ways to launch elevated, the 'run as' verb probably being the easiest.
Looks like Sun will have to handle that kind of situation in the JRE since there's no other way of doing elevated actions than by running an external process.
If JRE supported it, JVM would probably have to run a separate, elevated process for the java code requesting the elevation.
For now however, only the manifest or running an external application are the only solutions available as far as I know.
The question is, what do you need elevation for?
You have to use an external (native) application to do this. This post provides source code and a great explanation:
UAC Prompt From Java
You could use jna and do a ShellExec. For lpOperation use "runas" (this is not documented). Since you likely need the full path to the (current) JavaVM which is stored in the registrylook at registry access, part of JNA.
Goto the folder where java is installed.
open the properties of javaw.exe / java.exe and set "run as administator" option true.