How to call the authentication window, to grant access for root for a while for current application, from a class.
for example, I'm writing some app to work with partitions, so it need's root privileges to execute some things.
Probably you can't do that with Java. The best way to do is, maybe you can detect that program is not run as sudo so you can ask users to shutdown the program and relaunch as super user. (for this solution, I'd prefer choosing a file or directory from system files and check whether it is writable or not. e.g. new File("/usr/bin/ls").isWritable())
Other ways might be launching Desktop Environment-specific authentication windows. e.g. There is Java-gnome but as you might expect, not all users supposed to use GNOME. So there is not really a universal solution and all comes with tons of dependencies. Java is not designed for this.
The best thing is to check super user privileges with a trick on startup. Maybe you can elaborate your problem and we can come up with a solution that does not require root access.
Related
In the previous months I developed a sandbox Java applet for an academic project. I wasn't able to sign it with a trusted Certificate Authority because of the restricted budget.
With the release of Java 1.7.51 I found that the new security restrictions forbid the execution of the applet, because of the lack of signature.
Until now, I have found two rough solutions to this problem:
ask the user to include the applet page on his/her exception lists;
ask the user to set the Java security level to "Medium" (which, of course, is a risky manoeuvre).
Is there a way to overcome the restrictions imposed by Java with a self-signed applet without asking the user to change the security settings?
I would deeply thank you for your answers, since the option to buy a trusted certificate remains an expensive one.
Is there a way to overcome the restrictions imposed by Java with a self-signed applet without asking the user to change the security settings?
Short answer, no. Long answer, nope.
Its not a real solution but maybe a bit more convenient for the enduser:
Write a small programm (as jar file, or batch) which adds your site to the exception list. This tiny programm you offer to the user which can't execute your applet. It only has to be executed once. How this can be done is described here.
The file controlling the Exception Site List is stored in the user’s
deployment location as described in the deployment configuration. On
Windows 7 the location is
C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites.
The format is one site per line.
If you think that is not really trustworthy to the user you are probably right ;-) who executes a file downloaded from the internet? You can also just add a small description to your page and a user could execute it from commandline. For windows it would like that:
mkdir %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security
echo http://www.carlos.com >> %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
The more I read my post I think the best solution is the certificate but still wanted to share this option.
I am developing an OSX application for school where multiple users of the same mac will able to launch the program based on shared configuration (i.e. database connection info).
By design, the normal user without administrative privilege should not be allowed to modify the configuration.
Based on unix convention, I am storing the configuration file under /usr/shared/, but this caused another problem:
- Even when logged in as administrator, application will not able to write to the location above. Users will have to launch the application with elevated privilege (using sudo) if they need to make changes to the configuration file.
My question is, whether using "sudo" to write to restricted area is a common practice in mac osx ?
I would say that using "sudo" on a Mac is only common practice for certain types of users, such as network administrators and users who like to do more than just use standard applications.
I certainly would not expect students and teachers to be using the terminal and sudo.
When developing OSX apps, Apple provides the Authorization Services, from the security framework, for the app to be able to separate privileged features from standard ones and prompt users for their credentials when required.
You will have seen this in the System Preferences panes, where you see the padlock icon. Any application can call upon these services, though I'm not sure if it's possible with Java. This is Apple's recommended method of handling a problem such as this, in addition to factoring out privileged tasks to a separate application with a function they term 'SMJobBless'.
Interestingly, the domain of your question maps directly onto Apple's described scenario of using this system for "Simple, Self-Restricted Applications".
With that being said, if only yourself or other network administrators are going to be modifying the config file, then I'd recommend leaving out any features in the app for modifying it and doing it directly with sudo and a text editor such as vi, when required.
Definitely, unless you chmod its privilege with sudo(root)
I wrote a program in Java that makes it easy to setup and switch between different versions of Minecraft. The program is pretty much done, but I'm faced with a problem that I can't seen to find the solution for. I have a button in the program that allows you to launch Minecraft by means of the Runtime object. This works well on my computer because I know where I have my .app or .exe file (depending on OS). I don't however know where that file is located on anyone else's computer. I have thought of a few ways of getting around this, but none seem to be feasible.
One idea was to just prompt the user to locate the file through a file chooser and then cache that file. This would work, but isn't very elegant, especially for users that aren't very computer literate.
I also thought about bundling the .app and .exe file with my application but that brought up even more problems. For one, I don't know if it's exactly legal for me to be distributing that file with my application. Also, it would change the way I would have to distribute my application to include some sort of installer that sets up everything.
Does anyone have any better ideas on how to handle this problem?
You have at least three choices that I can think
You can use a configuration system to store the location(s) of the program and prompt the user/supply a config API to set the value. This is good and rather simple to do
You can search commonly well know locations for the location and if it's not found, prompt the user (and hopefully store the result). This is okay, but it relies on a number of factors, including the OS and the program actually being loaded in a "common" location and being named in a "common" manner.
Search the hard drive. This is poor as it's time consuming and the application might not actually exist on the drive you are search...Searching all available locations could lead you onto network drives which will just be slower...And prompt the user if it's not found
Seen as almost all the solutions fail to "prompt the user" I would probably use a combination of 1 & 2. Allow the user to specify the location, if they don't, search some common known locations and if you still can't find it, prompt the user (and hopefully save the value for reuse).
IMHO
I need to use the systemRoot feature of the Preferences API, but it fails due to lack of permissions on Windows if UAC is on. I'm trying to find the technical details of popping the UAC prompt and elevating my permissions to allow the systemRoot updates to succeed.
According the accepted answer to this SO question, you cannot change the UAC permissions of a running process.
According to the answers to this SO question, possible ways to launch a process with elevated permissions are:
create a wrapper to launch the JVM (with the appropriate arguments!) with a windows manifest that requests raised privileges, or
use the application linked to the 2nd answer to run the JVM with raised privileges.
In addition to the manifest Using JNI to call ShellExecute with verb = runas will also do this - but specifying things with a manifest is a more robust way of doing it. Getting a manifest embedded in an exe can be a bit tricky, and there were a lot of problems with manifest handling in earlier versions of Visual C++, but most of them are worked out now.
That said, I'd encourage you to think hard about why you need to access the system root - is it to store settings for all users? If so, you may want to consider having a separate application for managing those settings (with it's own manifest). You can't just pop open a UAC elevation dialog - you actually have to launch a new process (if you look at task manager with apps that appear to work this way, you'll see that a second instance of the app actually gets launched - look at the UAC Virtualization column in task manager to see the differences).
Another possibility is to adjust the security settings in the area of the registry that you absolutely must configure from your non-elevated process - but this goes against the design of UAC, and it'll almost always cause more trouble than it's worth. Probably better to drink the M$ kool-aid and design your app properly for UAC. (Believe me, I feel your pain on this - been through it a number of times).
As I was experiencing this pain myself, I found the following MSDN article quite helpful to understand the Microsoft design intent with UAC:
http://msdn.microsoft.com/en-us/library/aa511445.aspx
Hope this helps...
You can use run-as-root library: https://github.com/dyorgio/run-as-root
// Specify JVM options (optional)
RootExecutor rootExecutor = new RootExecutor("-Xmx64m");
// Execute privileged action
rootExecutor.run(() -> System.out.println("Call your admin code here."));
P.S.: I'm the author.
I'm here just to ask something maybe very simple, I'm working with Files, FileOutputStream and FileInputStream, But I just want to get/set a few props from the file, I mean, the owner the file, the permissions read/write, etc.
Looking around I found the classes FileDescriptor and FilePermission but I don't have an idea of which I can use them, so I asking for some help about this; Actually I'm using the method setReadOnly() from the class File but that's now what I'm looking for.
There are a couple of issues here:
An application, by default, has unrestricted access to its own files (read/write/delete/'execute'...whatever execute means) but no access to any other application's files.
Android make it difficult to interact with other applications and their data except through Intents. Intents won't work for permissions because you're dependent on the application receiving the Intent to do/provide what you want; they probably weren't designed to tell anybody their files' permissions. There are ways around it, but only when the applications are desgned to operate in the same JVM (i.e. applications you have designed to operate in the same JVM together)
Your application can get and set permissions for its own files but cannot do that for anyone elses. To my knowledge there is no explicit concept of ownership exposed in the SDK, so you cannot find the owner of a file.
Android is based on the Linux kernel, but it's not Linux. It's been heavily optimized for running on mobile devices. If you have a machine where an application can only play in its own sandbox you can cut out things like permissions and ownership and get a smaller, faster operating system. The only permissions your files have are the one's you place (and enforce) on them. Other applications' files do not exist.
Android uses the standard Java API for handling files and file permissions. Here's a a page discussing permissions in Java.
Basically all you need to do is getting the FilePermission object of the file, then getting the PermissionCollection from the FilePermission object with the newPermissionCollection() method and then add or remove items to or from that collection.
Well...if you only want to SEE the permissions couldn't you just use "ls -l" ?