Is there a way for a Java app to gain root permissions?

Question

When running Files.walk(Paths.get("/var/")).count() as an unprivileged user, the execution might throw an exception as there are folders inside /var/ that need root permission to be traversed.

I am not looking for a way to execute a bash command as root (e.g. sudo find /var), using Process, etc.

I just want to make sure Files.walk(Paths.get("/var/")).count() does not throw an AccessDeniedException:

Exception in thread "restartedMain" java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0
    at sun.reflect.NativeMethodAccessorImpl.invoke
    at sun.reflect.DelegatingMethodAccessorImpl.invoke
    at java.lang.reflect.Method.invoke
    at org.springframework.boot.devtools.restart.RestartLauncher.run
Caused by: java.io.UncheckedIOException: java.nio.file.AccessDeniedException: /var/cache/httpd
    at java.nio.file.FileTreeIterator.fetchNextIfNeeded
    at java.nio.file.FileTreeIterator.hasNext
    at java.util.Iterator.forEachRemaining
    at java.util.Spliterators$IteratorSpliterator.forEachRemaining
    at java.util.stream.AbstractPipeline.copyInto
    at java.util.stream.AbstractPipeline.wrapAndCopyInto
    at java.util.stream.ReduceOps$ReduceOp.evaluateSequential
    at java.util.stream.AbstractPipeline.evaluate
    at java.util.stream.LongPipeline.reduce
    at java.util.stream.LongPipeline.sum
    at java.util.stream.ReferencePipeline.count
    at com.example.DemoApplication.main
    ... 5 more
Caused by: java.nio.file.AccessDeniedException: /var/cache/httpd
    at sun.nio.fs.UnixException.translateToIOException
    at sun.nio.fs.UnixException.rethrowAsIOException
    at sun.nio.fs.UnixException.rethrowAsIOException
    at sun.nio.fs.UnixFileSystemProvider.newDirectoryStream
    at java.nio.file.Files.newDirectoryStream
    at java.nio.file.FileTreeWalker.visit
    at java.nio.file.FileTreeWalker.next
    at java.nio.file.FileTreeIterator.fetchNextIfNeeded

This is just an example. Using filter(...) it is possible to work around the exception. But this example can be expanded to other use cases too.

So in short Is this possible at all, for CLI, JavaFX, etc. apps to gain root permission after they have been executed from command line via a method such as java -jar app.jar?

Answer 1

If what you want is actually skipping the paths where you have no access, you have two approaches:

Streams

In the answer to this question it is explained how to obtain the stream of all files of a subtree you can access.

But this example can be expanded to other use cases too.

FileVisitor

Using a FileVisitor adds a lot of code, but grants you much more flexibility when walking directory trees. To solve the same problem you can replace Files.walk() with:

Files.walkFileTree(Path start, FileVisitor<? super Path> visitor);

extending SimpleFileVisitor (to count the files) and overriding some methods.

You can:

1. Override the visitFileFailed method, to handle the case you cannot access a file for some reasons; (Lukasz_Plawny's advice)
2. (optional) Override the preVisitDirectory method, checking for permissions before accessing the directory: if you can't access it, you can simply skip its subtree (keep in mind that you may be able to access a directory, but not all its files);

e.g. 1

@Override
public FileVisitResult visitFileFailed(Path file, IOException exc) {
    // you can log the exception 'exc'
    return FileVisitResult.SKIP_SUBTREE;
}

e.g. 2

@Override
public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) {

    if(!Files.isReadable(dir))
        return FileVisitResult.SKIP_SUBTREE;

    return FileVisitResult.CONTINUE;

}

FileVisitor docs

FileVisitor tutorial

Hope it helps.

Answer 2

Just a few completely untested ideas:

1) Run your app with root priviledges to begin with:

sudo java -jar myapp.jar

2) Let your app start a launcher-class that requests root permissions and then continues running the rest of your app:

java -jar myapp.jar

This in turn does execute a shell command, but only an xterm that prompts for root password, and then continues to run a java program with root permissions:

xterm -e "sudo sh -c 'java -jar /tmp/myrootapp.jar'"

or perhaps use something nicer-looking using gksudo. Mind the ' and ".

Maybe the myapp.jar extracts itself into a temporary directory. myapp.jar contains myrootapp.jar and thus it can launch it as described above. /tmp should of course be retrieved from within java, and preferably be a directory with a random name that only the user running myapp.jar has access to in order to prevent myrootapp.jar injection.

Cross-platform

You mentioned /var/ yourself, so I assumed you were on some sort of Linux. If this is supposed to work cross-platform, e.g. on Macintosh or Microsoft Windows too, you need to do some sort of system identification first. Then you can apply StrategyPattern in code to handle the various ways of letting myrootapp.jar obtain root or administrator permissions.