Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Suppose I have to run a java, c++, or python3.8 program on my machine, but I don't want these programs to access my system information, run os commands, or perform any malicious activity. Is there a way to do this for each of the aforementioned languages?
Java theoretically has a solution for this: The 'SecurityManager'. You can set one up within your java code (you can tell the system: Here is some code; load it as the manager please).
A securitymanager gets called before certain things happen and can deny the operation. It's mostly anything that feels security sensitive:
Quitting the VM
Opening any file
Opening any network connection
Setting the security manager
accessing clipboards
Printing things
Can influence certain aspects of thread loading
You'd tell java to run some class file that you wrote, that class file sets up a security manager, and will then run the application you want to restrict.
Note that you can't really restrict how much memory and/or CPU it uses with a SecurityManager, which can be quite an issue by itself.
The problem is, the primary use case for this mechanism is to run applets, and applets are long dead. Thus, it's a feature that few people in the java ecosystem are currently using, and little-used blacklist-style mechanisms are usually riddled with holes.
I'd strongly suggest you set up a virtual machine for this purpose. There are leaks in hypervisor based restrictions too, but 'host things in a VM and ensure it cant do things to the underlying machine' is a lot more common.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
As described in the title, the functions in the dynamic library need root permission to perform some system calls. If I use JNA, I don't know how to achieve this requirement.
Or is it a bad requirement?
Maybe I didn't provide more detailed code, but I'm sure it's a valuable question for me...
Is there any available method for me to call a dynamic library that requires root permission through JNA?
No there isn't. In UNIX / Linux, the only point when application permissions can be elevated is when using exec to execute a new process AND the executable has the "set uid" bit set in its file permissions.
This presents particular problems for Java. It is totally unsafe to make the java executable a "set uid root" program. The standard java executable is designed run any Java class supplied via the command arguments. You can't restrict it to only running certain classes that are known to be safe to run as root.
In short, if your Java application needs root access to do something (in Java code or in a native code library), then it needs to have been started by the root user.
Or is it a bad requirement?
It is an unimplementable requirement.
Nothing about JNA will give your Java applications permissions it doesn't already have. If you need elevated permissions to execute a library function, you'll need to give those permissions to your Java program, usually by running it as a privileged user.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I have a working java app and now I would like to extend it to be controlled over ssh. Let's say I have a swing button that increases a counter. I would like to be able to ssh in that computer and say something $: myapp increase and have the button's action listener executed.
Maybe I'm using the wrong keywords but I could not find a solution. The 'kinda' solution I could think of is using signals but I'm not even sure if they can be used as I am used to from C and if that can be done without knowing the actual process ID.
Any material that can get me started would be welcome.
signals are hard to read from java, because there is a lot of difference between OSes on how to do those (some don't even have the concept), and java is designed to expose anything that can be generalized across all OSes java runs on, and to not expose anything that might not be there.
The usual way to do it, is via TCP/IP (so, java.net.Socket), or HTTP (so, jetty or some such).
Note that webapps can trivially be accessed remotely and can be scripted fairly easily. You could also consider building a command line / terminal based app, for example with lanterna which you can shove into a terminal session keeper / eternal SSH kinda deal.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I want to mutate a function of a class that is loaded at runtime (it has a bug in it but the project is long gone so i cannot build the binary). What i want to do instead is write a piece of code which will run during the application initialization phase and mutate this function so that it works fine. And simply keep that code around until the replacement is ready.
Having no experience with bytecode modification what library could i use to modify and reload a class at runtime? Specifically i need to replace a throw instruction with a noop instruction (i did this once using hex editor but lost the binary).
Also if you know any tutorial on how to do something like that please share.
I can see many libraries for doing this but i cant know which ones are good/bad do the job...
I think use Java Attach API. Java Attach API is procedure of loading a Java agent into an already running JVM. you can understand the work of javaagents by reading the Java Instrument javadoc. AgentMain help to you.
Agentmain is invoked when an agent is started after the application is already running. Agents started with agentmain can be attached programatically using the Sun tools API (for Sun/Oracle JVMs only -- the method for introducing dynamic agents is implementation-dependent).
This tutorial is useful about java instrumentation.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
I have developed apps using Swift as an Agent. It was a simple application that sat in the menubar without any icon on the dock. I would like to create one using Java for some accessibility reasons and I stumbled upon something called a Javaagent.
I couldn't tell if that was what I was looking for and don't want to dive in if its not. If its not, was am I looking for? How do I make an application that doesn't have java popup and just runs on the menubar?
I have looked on many different sites on how to make one but none explaining what it actually is:
example of how to create java instrumentation agent.
Tutorials about javaagents
A java agent is a basically a specialized "component" that you can load into a JVM that runs your "core application". The agent then provides certain "add-on" functionality; functionality that has nothing to do with what your "core application" is doing.
An example would be JRebel. That is a commercial product which comes Java agent; it is loaded into the JVM when starting up your application server. JRebel then allows you later on "hot swap" java classes. Meaning: the JRebel agent knows nothing about the purpose of the code that you are running within your application server; it only exists to change the bytecode of your classes while the JVM is still running.
Long story short: java agents are for INSTRUMENTATION; they have nothing to do with UI applications or accessibility. Thus the answer is: no, java agents is not what you are looking for.
Instead you might turn to frameworks like Swing, JavaFx or Eclipse RTP; which help you creating GUI applications.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Twitter has open sourced their Mysql source code.
This blog post http://engineering.twitter.com/2012/04/mysql-at-twitter.html mentions the different changes.
I have used Mysql as developer executing queries but never had to dig deep into its source code. I tried going through the source code on github https://github.com/twitter/mysql but was overwhelmed.
So thought I would post here and get some help.
I would like to better understand how Twitter's changes has improved
Mysql over the Oracle's version.
If I were to make an apples to apples comaparison between Oracle's version and Twitter's version what are specific advantages disadvantages between the two.
There are many more questions that popped into my head.
I get that this is sort of an advanced DB topic, but I would love learn about it.
They describe the changes as including:
Add additional status variables, particularly from the internals of
InnoDB. This allows us to monitor our systems more effectively and
understand their behavior better when handling production workloads.
Optimize memory allocation on large NUMA systems: Allocate InnoDB's
buffer pool fully on startup, fail fast if memory is not available,
ensure performance over time even when server is under memory
pressure.
Reduce unnecessary work through improved server-side
statement timeout support. This allows the server to proactively
cancel queries that run longer than a millisecond-granularity timeout.
Export and restore InnoDB buffer pool in using a safe and lightweight
method. This enables us to build tools to support rolling restarts of
our services with minimal pain.
Optimize MySQL for SSD-based machines,
including page-flushing behavior and reduction in writes to disk to
improve lifespan.
These are things that are important for a Twitter-scale web site. If you are building something that has to scale to that size - yes, those changes would be helpful. But, if you are building something more like every other mildly-popular web site in the world, you probably don't need to be concerned with their changes. Most large web sites that run MySQL run it straight from the distribution.