Keeping my Java program secure

Question

I have a Java project that uses the Bluecove Library, this library requires root privileges to do certain actions that I require in my project. I should note here that despite the project being Java based it is for Linux only.

The project will have many functions that do not require root privileges, some of which will have to interact with the root privilege functions and some that will not.

Additionally, the project will execute programs such as hciconfig using user inputted data under root privileges.

All this root activity has led me to be concerned about the security of my system. The target machine would be the user's own computer and there is no intention of running this system on some public terminal but security is still important as unknown external bluetooth devices will be capable of interacting with this system.

So far my security measures have involved heavily filtering user input, and paying very careful attention to all actions that external bluetooth devices will cause the system to perform but I am growing increasingly unhappy with this.

What would people recommend? One thought would be to split the system in to two or three modules, one containing the GUI and non-root backend, one containing the Bluecove root backend and possibly a root wrapper for hciconfig and the other tools used.

I have noticed some programs, for example Apache, that once run "drop down" their privileges. How is this achieved and is this effective?

Answer 1

What apache does it the setuid system call (in libc), which as you noted, effectively drops down the privilege of the process. You can make libc call via JNI, or JNA.

This works very well, even for Java programs, except that once you go from root to non-root, you won't be able to perform any operations that require the elevated privileges. So the technique can be only used if all the privileged operations can be done upfront, like Apache does.

Another possibility is to divide your program into two processes --- when launched, your program forks another program that runs as root, then have the original one demote to the non-root. Two processes can communicate over their stdin/stdout.