4

All,

I want to run a part of my Java program as root. Only one particular function as root. The other part of the programs should run with the user privileges with which the program was started. I want to run only the below code as root and the other as it is. This is because I see different behavior for this code when it runs with ROOT privileges.

 try
    {
         addr = Inet6Address.getByName(host);
         isReachable = addr.isReachable(20*1000);
    } catch (UnknownHostException e)

Thanks in advance

Geek
  • 23,089
  • 20
  • 71
  • 85
  • Can you explain what was the different behavior you observed? – Nishan Mar 11 '11 at 10:42
  • @Nishan : isReachable = true for a ROOT User and false otherwise. I read about this in Inet6Address API and how it works. Since I was not able to solve that problem, I thought I could try this in the meanwhile. – Geek Mar 11 '11 at 10:49

3 Answers3

4

There is no portable way for a Java program to change the effective user id; i.e. change from running with root privilege to another user. (And even in C an application can't switch between privileged and non-privileged willy-nilly. Privilege switching is a one-way street.)

Reading the javadoc for InetAddress.isReachable it does use different mechanisms depending on the JVM process's privilege. However, neither of the two approaches used by isReachable is guaranteed to work; e.g.

  • some firewall may selectively block ICMP ECHO messages,
  • the target machine might not be running an Echo service on port 7 ... or port 7 may be locked by a firewall.

So I would address avoid issue entirely. Just try to do whatever it is that you are really trying to do, and forget about using isReachable. Or if it is within your control, fix the machines / networks so that both mechanisms work for the machines you need to test.

@Geek - you say that you can't test particular ports because they can be blocked. Well anything can be blocked, including ICMP PING, ICMP ECHO and anything else that you might use to test if the host is reachable.

There is only one thing that really matters: can you talk to the service that you are actually going to use. And there is only one way to find out: try to use it.

Or to say it another way, testing if a host is available doesn't make sense. Hosts are not available: specific services are.

pants
  • 192
  • 13
Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • I can't fix the networks. I just want to check if a particular host on the Internet is up and running. I can't test with a Socket connection as some ports will be blocked. Any other way to do that ? For eg. I just want to check with my Program if google.com is reachable. – Geek Mar 11 '11 at 11:01
  • @Geek, you could try to fetch the homepage through http using `HttpUrlConnection`, but I think it would be better to handle connection problems during regular operation instead of checking once and then hoping the network state does not change. – Jörn Horstmann Mar 11 '11 at 11:07
  • It might be better to try to reach the machine over the required protocol and port. a ping can be blocked, and if not, still not reachable over http (due to firewalls, proxies and other fun). I would just try, for google, an HTTP call. Perhaps expensive but then you'd actually know something worthwhile. – extraneon Mar 11 '11 at 11:09
  • @extraneon: Can you please explain more, I didn't get " I would just try, for google, an HTTP call.". – Geek Mar 11 '11 at 11:17
  • (I think he meant "try sending an HTTP request to Google".) – Stephen C Jul 30 '12 at 13:15
1

Privilege separation is not possible in JAVA as it works very diffrent ways in different OS's.

A possible way to solve yor problem is a TCP connection attempt. You can catch the IOException which will contain additional information. This is highly platform-dependant, so be smart about interpreting them.

vbence
  • 20,084
  • 9
  • 69
  • 118
  • @vb : Thanks. Like I said I just want to ping if a host on the Internet is available or not. – Geek Mar 11 '11 at 11:05
  • @Geek - but why would you use ping? It makes no sense - it won't tell you if a host is available for anything other than ICMP. If you are planning to connect to it over hhtp or https, use one of them to confirm that service is available. – Rory Alsop Mar 11 '11 at 13:32
0

For running parts of a program with other privileges, you would need JNI and system dependent calls. Easier would be to simply call an external program with ProcessBuilder or Runtime.exec:

Process p = Runtime.getRuntime().exec(new String[]{"sudo", "ping", "-c", "5", "host"});
int result = p.waitFor();
if(result == 0) {
   // reachable
}
else {
   // unreachable, or some error
}

This would need a suitable entry in the sudoers configuration file (and for other systems and/or other versions of ping maybe other parameters).

But as the others said, reachability by ping is not equivalent to the service you want to use is reachable.

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210