I have a small java web app (grails), deployed under tomcat 8, from which I would like to execute a script on the local server using sudo. On a regular debian/ubuntu server all I have to do is use visudo to allow the tomcat user to execute sudo without a password on that particular script, and everything works as expected. When I tried installing the same war file on the raspberry pi (model 3b+, raspbian 10 - buster), booting from an SD card, the execution of the script always fails with the error "sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges'.
In an effort to track down this issue I have written another small executable jar that performs the same function (i.e. attempts to launch the script using sudo). This test program works as expected when logged in interactively (bash) as both the 'pi' and 'tomcat8' users (I had to set a shell for the tomcat8 user to order to get an interactive login). I then used strace to try and diagnose the issue. All I could glean from that is that getuid() is returning 111 (tomcat8) when trying to launch sudo when running under the tomcat8 service, but will return 0 when running in bash.
I have also written a small c program that simply calls getuid() and prints the result. If I run it under the tomcat8 user interactively (i.e. sudo su tomcat8), it prints '111' when I run it without sudo, and '0' when I run it with sudo. When I try and launch this program from the web-app (using process builder) I get '111' when the command is run without sudo, but I get the 'effective uid is not 0 ...' error when the command is prefixed with sudo.
I have checked mount, and there are a number of mounts with the 'nosuid' attribute, but not the root '/' directory where /usr/bin is located, and /usr/bin/sudo looks to have the correct permissions:
pi#raspberrypi:~/dev $ ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 147560 Jan 13 2019 /usr/bin/sudo
In desperation I have tried a couple of other things to just see what effect they might have:
* Added the tomcat8 user to adm, sudo and other groups
* Attempted to remount the other mounts without the nosuid attribute, although I couldn't remount about 6 or so because the mounts where in use.
Neither of these appeared to have any effect.
So it seems to me that the tomcat8 user can use sudo when in bash, but not when running as a daemon. Can anyone give me some ideas as to what is going on here? Is there anyway to diagnose or trace how an effective uid is determined by the os?
Other things that may be significant:
I installed both openjdk-8-jdk and tomcat8 via apt, and even though raspbian uses systemd, tomcat8 is launched via an init.d script. Not sure if this is causing uid issues.
If it is the SD card having some mounts with the nosuid attribute causing the problem, why doesn't it fail when running interactively?
It turns out it was an issue with the way the daemon is started, probably due to changes in the way Debian 10 starts daemon processes. I removed the tomcat init.d script, and replaced it with a systemd unit file, and included the following properties:
[Service]
...
NoNewPrivileges=false
AmbientCapabilities=CAP_SETGID CAP_SETUID
SecureBits=keep-caps
This allows the daemon to actually call setUid(0) successfully.
Related
I have a Jenkins pipeline in which I'm trying to run the following command to deploy a jar on the server.
steps{
sh 'nohup java -jar admin/target/*.jar'
}
The actual code I'm using is this one.
String deployApplication = "BUILD_ID=dontKillMe " + "nohup java -jar " + dir_name + "/target/*.jar &"
But I'm unable to do so as this command is getting silently ingored when running through Jenkins. But when I run the same command manually through the terminal it runs successfully. And I tried the pwd command using Jenkins, it also ran successfully.
I have tried the fixes suggested by different people like the "BUILD_ID=dontKillMe" and "JENKINS_NODE_COOKIE=dontKillMe" but it did not work for me.
String deployApplication = "BUILD_ID=dontKillMe " + "nohup java -jar admin/target/*.jar"
String deployApplication = "JENKINS_NODE_COOKIE=dontKillMe " + "nohup java -jar admin/target/*.jar"
I tried using the above method by saving it in a variable, but it did not work. Please suggest what is going wrong?
P.S. I'm also attaching the manual execution output. The file in which these commands are getting saved in commands.sh and the port I'm using is 8100. enter image description here
There can be a lot of reasons why the script may be failing at the server end when you are trying to deploy:
Make sure that you are in the intended directory and logged in as the intended user with right permission while trying to execute the script. Try to see if a tail on nohup.out gives you any lead on what could be wrong.
If you have the exact jar name and it is a single jar, can you try to keep the exact name in script? Also see whether there is another application or another instance of the same application occupying the port which is intended to be used (assuming the jar is a runnable jar similar to what you get for springboot based applications). Use netstat -tunlp | grep portnumber.
If no process is running, then it may be a firewall issue. Check if firewall rules are written properly to enable the port at the server end. You can simply disable the firewall temporarily and then check if the command is executed successfully. Use systemctl stop firewalld to stop the firewall.
I have created a VM instance on Google Cloud Ploutform, Compute engine. Installed Ubunutu 18.04 LTS, Java JDK, Maven and Jetty. Also installed Tomcat, but not using that at the mo.
I set the JAVA_HOME to the JDK location and added it to /etc/enviroment and confirmed this with source /etc/enviroment. Then I CD into my app run mnv jetty:run and the app comes up on port 8888 and everything works great.
Im using the GCE Browser SSH terminal and I have two problems. When I close my laptop or shut the browser the app terminates and goes down. So I have to SSH back into GCE and run the above command but firstly it tells me that my java home is pointing to jre not JDK. Running echo JAVA_HOME shows its correct, so I need to run source /etc/environment before mvn jetty:run each time I log in.
1, How do I make the app stay open so its not reliant on a open terminal on my PC (happy to leave one open and running on the machine just not sure how to do this).
2, Why do I have to run a source each time I log in? Surely having it set in the environment file is enough?
Im a bit of a newb on java and linux so any help/advice appreciated.
Paul
You can run your app in the background so that even if you close the
terminal it will not affect the java process. You can use this
command
$ nohup mvn jetty:run &
You logs will be redirected to a file called nohup.out in the same directory
For setting the env variables there is one file called /etc/profile.
Just mention the details in this file and login/logout, it will be
permanent.
As an introduction, let's just say I'm a real noob using linux. I try to do the things right, don't hit me if it's ugly.
So, the problematic. I'm trying to run some jars as webservices on an ubuntu server. I created a specific user (nuxservice) with no pwd. I edited sudoers to enable a few users (myself & root) to sudo using this account with no password.
I then took a lot of inspiration from : http://www.jcgonzalez.com/linux-java-service-wrapper-example
Most is working, only one real problem, my java process seems to not have the right to create its logging files.
I run my services with a classic
sudo service myservice start/stop/restart
The command line that are launching my services are :
nohup sudo -u nuxservice java -jar myjar.jar myargs
When I do a ps -ef, the services are launches with my nuxservice user.
When I do ls -ld, nuxservice is the owner and have the rights.
If I launch the command in a terminal myself, it works. When launching as a service, my logs files are not created.
Any clues mates ?
So...
It was kinda silly.
My user rights were fine. Problem is, I did not set the working folder in my script so Java was all lost considering the creation of the folder/files for logging.
All I had to do was adding a little
cd $PATH_TO_JAR
And it was all set !
I've been stuck two weeks trying to figure out how to run this at startup.
I use the following chain of commands on the terminal:
1. source ~/.bashrc
2. source ~/.tinyos.sh
3. java net.tinyos.tools.Listen -comm serial#/dev/ttyUSB0:telosb | python demo.py`
The third command uses java to listen to the serial port and pipes it to a python script which cleans, converts and uploads to mysql localhost.
This works fine on ssh terminal. But ive tried using nohup+update-rc.d, upstart, systemd, crontab to make it run on startup and it just wont work! When I reboot and check logs / database, its as if the command never happened. I need this to run like a daemon and continue running until shutdown.
Thanks a lot.
How are you trying to execute the program ? Are there are permission issues accessing / executing the script ?
Which version of debian are you running - look at upstart scripts if you are running Jesse+
I'd put those three lines in a bash script and use upstart scripts to trigger them on start. Another option is to use supervisord to make sure that your scripts run and restart if for any reason the program crashes.
I have a batch file which start Tomcat as follows (when running it on Windows it works fine)
...
start C:\Users\root\tomcat\tomcat2\bin\startup.bat
The batch file is called from Jenkins as follows
I have this error in the Jenkins Consol at the end of the build
D:\jenkins\workspace\Start 3T2>start C:\Users\root\tomcat\tomcat2\bin\startup.bat
Process leaked file descriptors. See http://wiki.jenkins-ci.org/display/JENKINS/Spawning+processes+from+build for more information
Finished: SUCCESS
When I check the task manager I see that the server is started but in background. I need actually to start Tomcat it in the Console.
This is what I did :
I added -Dhudson.util.ProcessTree.disable=true in jenkins-slave.xml
used to start jenkins slave service.
I added set BUILD_ID=dontkillme in startup.bat to stop Jenkins from
stopping the process in the end.
I think Tomcat start correctly in the end but not in Console. I'm running Windows 2012 server/Tomcat7/Jenkins 1.578.
Any idea on how to start Tomcat in a Console ?
AFAIK, if you're trying to start Tomcat console on a given machine which has Jenkins configured as service, it will not work. To make it work, you will have to connect to the given machine using JNLP. In case it's a standalone system and you want to open a Tomcat console using Jenkins, you will have to set up a Slave on the same machine and that too using JNLP (Launch slave agents via Java Web Start) in the Launch method section in Jenkins > Manage Jenkins > Manage Nodes > Slave Node's Configure page.
You can connect to the slave using any of the methods shown below. You will see the below option as soon as you configure the slave node and click Save. I ran the highlighted command from the Win command prompt. In my set up, i had configured Master and Slave on the same machine. I have Win 7 Professional, 64-bit laptop.
Once you run the command, you will see a small window that will pop-up and will display 'Connected' message as shown below:
At least for me, i checked that hudson.util.ProcessTree.disable=true & BUILD_ID parameters were not required. The only thing that i needed was to make sure that the following property is unset: HUDSON_SERVER_COOKIE
P.S.: You might have to make sure to start JNLP on reboot. A start-up script will do that. Also, ensure that your project/job is tied to the given slave which is running using JNLP mechanism.
i was going crazy with this , as shutdown.sh worked from Window-Master-Jenkin-->Linux-Slave-Jenkins, but startup.sh was not happening on my linux-slave-jenkins though startup.sh execution showed success message, as there were no logs anywhere, it was difficult to troubleshoot, not sure how and why setting up "export HUDSON_SERVER_COOKIE= " just before running startup.sh worked. Anyway Thanks a lot.