Everyone, >> The servlet application needs to do things like mkfs, >> vgcfgrestore, vgchange, >> mount and umount.
Eek. From a webapp? > I'd use setuid scripts with very careful permissions: > > - Write some shell scripts, one per action, to do what you need; > > - Audit those scripts for possible security holes; I agree. In fact, I might even go farther and suggest that you go with more a batch-job-list configuration, where your webapp drops descriptions of the work to be done into a directory or a database or something. Then, have a cron job or something like that come along every so often and process the jobs. Firing off new processes from Java can get ugly (even though it really shouldn't be), and if you are putting user input into your command-line, you're just asking for trouble. With batch-style processing, you generally treat everything as data and not as a command (as one might be tempted do when firing off a process from within the JVM). If you need to do stuff like mkfs, mount, etc. I assume that this is an /intranet/-style webapp -- meaning that your users are relatively trusted when compared to an open web site. -chris
signature.asc
Description: OpenPGP digital signature