Re: RFR 8197387: jcmd started by "root" must be allowed to access all VM processes
Hi Thomas, Thank you for the review. Just in in case I put an updated webrev with suggested changes at http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ . I am also including ppc-aix-port-dev@openjdk.java.net mail list since the changes affect AIX native code. I did these AIX changes myself and I need to get them verified before the push. May I ask someone who has access to an AIX machine try this patch to ensure that AIX build is fine? Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ Issue: https://bugs.openjdk.java.net/browse/JDK-8197387 Thanks a lot! Best regards, Daniil On 5/29/18, 9:54 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: Hi Daniil, Looks fine. Small nits: - please add short comments to os_posix.hpp on the new prototypes. At least on matches_effective_uid_and_gid_or_root: e.g. // Returns true if either given uid is effective uid and given gid is effective gid, or if given uid is root. - src/hotspot/os/posix/os_posix.cpp: +bool os::Posix::matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid) { + return is_root(uid) || ( geteuid() == uid && getegid() == gid); +} + please remove extra space before geteuid() If you change above points, I do not need another webrev. Reviewed. -- Btw: I wonder why we find it necessary in the hotspot to check for both uid AND gid to match effective uid and effective gid? Seems strange. But since this logic is not touched by your change, your change is okay. Best Regards, Thomas On Tue, May 29, 2018 at 11:33 PM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > Hi Thomas, > > Please review a new version of the fix that includes the changes suggested. > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.02/ > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > Thank you, > Daniil > > > On 5/24/18, 10:51 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: > > Hi Daniil, > > here is my review: > > - Like Roger I would prefer to have the uid checks factored out. At > least for the hotspot coding, I do not know where to put it in jdk > coding. For the hotspot parts, I would add something like: > > os::Posix::is_root(uid_t uid) ; > os::Posix::matches_effective_uid_or_root(uid_t uid) // return > isroot(uid) || uid == geteuid > os::Posix::matches_effective_group_id(gid_t gid) // return gid == getegid > > to os_posix.hpp/os_posix.cpp > > Other than that, the changes make sense. > > Kind Regards, Thomas > > > > > On Thu, May 24, 2018 at 3:11 AM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > > Please review the changes that fix JDK-8197387. > > > > There are 2 problems here: > > 1. JVM ignores .attach_pid<pid> file if it is owned by the user different from the one that owns this JVM process > > 2. jcmd checks that .java_pid<pid> socket is owned by the same user that runs jcmd and reports an error otherwise > > > > The fix relaxes these checks to allow jcmd started by "root" (UID = 0) access JVMs started by another users. > > > > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/ > > > > Best regards, > > Daniil > > > > > > >
On Wed, May 30, 2018 at 7:27 PM, Daniil Titov <daniil.x.titov@oracle.com> wrote:
Hi Thomas,
Thank you for the review. Just in in case I put an updated webrev with suggested changes at http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ .
I am also including ppc-aix-port-dev@openjdk.java.net mail list since the changes affect AIX native code. I did these AIX changes myself and I need to get them verified before the push.
May I ask someone who has access to an AIX machine try this patch to ensure that AIX build is fine?
AIX builds fine. Thanks, Thomas
Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ Issue: https://bugs.openjdk.java.net/browse/JDK-8197387
Thanks a lot!
Best regards, Daniil
On 5/29/18, 9:54 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote:
Hi Daniil,
Looks fine. Small nits:
- please add short comments to os_posix.hpp on the new prototypes. At least on matches_effective_uid_and_gid_or_root: e.g. // Returns true if either given uid is effective uid and given gid is effective gid, or if given uid is root.
- src/hotspot/os/posix/os_posix.cpp:
+bool os::Posix::matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid) { + return is_root(uid) || ( geteuid() == uid && getegid() == gid); +} + please remove extra space before geteuid()
If you change above points, I do not need another webrev. Reviewed.
--
Btw: I wonder why we find it necessary in the hotspot to check for both uid AND gid to match effective uid and effective gid? Seems strange. But since this logic is not touched by your change, your change is okay.
Best Regards, Thomas
On Tue, May 29, 2018 at 11:33 PM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > Hi Thomas, > > Please review a new version of the fix that includes the changes suggested. > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.02/ > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > Thank you, > Daniil > > > On 5/24/18, 10:51 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: > > Hi Daniil, > > here is my review: > > - Like Roger I would prefer to have the uid checks factored out. At > least for the hotspot coding, I do not know where to put it in jdk > coding. For the hotspot parts, I would add something like: > > os::Posix::is_root(uid_t uid) ; > os::Posix::matches_effective_uid_or_root(uid_t uid) // return > isroot(uid) || uid == geteuid > os::Posix::matches_effective_group_id(gid_t gid) // return gid == getegid > > to os_posix.hpp/os_posix.cpp > > Other than that, the changes make sense. > > Kind Regards, Thomas > > > > > On Thu, May 24, 2018 at 3:11 AM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > > Please review the changes that fix JDK-8197387. > > > > There are 2 problems here: > > 1. JVM ignores .attach_pid<pid> file if it is owned by the user different from the one that owns this JVM process > > 2. jcmd checks that .java_pid<pid> socket is owned by the same user that runs jcmd and reports an error otherwise > > > > The fix relaxes these checks to allow jcmd started by "root" (UID = 0) access JVMs started by another users. > > > > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/ > > > > Best regards, > > Daniil > > > > > > >
Thank you, Thomas, for verifying this! I checked over this email thread and believe I still need one more reviewer for this fix. Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ Issue: https://bugs.openjdk.java.net/browse/JDK-8197387 Best regards, Daniil On 5/30/18, 11:16 AM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: On Wed, May 30, 2018 at 7:27 PM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > Hi Thomas, > > Thank you for the review. Just in in case I put an updated webrev with suggested changes at http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ . > > I am also including ppc-aix-port-dev@openjdk.java.net mail list since the changes affect AIX native code. I did these AIX changes myself and I need to get them verified before the push. > > May I ask someone who has access to an AIX machine try this patch to ensure that AIX build is fine? > AIX builds fine. Thanks, Thomas > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ > Issue: https://bugs.openjdk.java.net/browse/JDK-8197387 > > Thanks a lot! > > Best regards, > Daniil > > On 5/29/18, 9:54 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: > > Hi Daniil, > > Looks fine. Small nits: > > - please add short comments to os_posix.hpp on the new prototypes. At > least on matches_effective_uid_and_gid_or_root: > e.g. // Returns true if either given uid is effective uid and given > gid is effective gid, or if given uid is root. > > - src/hotspot/os/posix/os_posix.cpp: > > +bool os::Posix::matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid) { > + return is_root(uid) || ( geteuid() == uid && getegid() == gid); > +} > + > please remove extra space before geteuid() > > If you change above points, I do not need another webrev. Reviewed. > > -- > > Btw: I wonder why we find it necessary in the hotspot to check for > both uid AND gid to match effective uid and effective gid? Seems > strange. But since this logic is not touched by your change, your > change is okay. > > Best Regards, Thomas > > > > On Tue, May 29, 2018 at 11:33 PM, Daniil Titov > <daniil.x.titov@oracle.com> wrote: > > Hi Thomas, > > > > Please review a new version of the fix that includes the changes suggested. > > > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.02/ > > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > > > Thank you, > > Daniil > > > > > > On 5/24/18, 10:51 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: > > > > Hi Daniil, > > > > here is my review: > > > > - Like Roger I would prefer to have the uid checks factored out. At > > least for the hotspot coding, I do not know where to put it in jdk > > coding. For the hotspot parts, I would add something like: > > > > os::Posix::is_root(uid_t uid) ; > > os::Posix::matches_effective_uid_or_root(uid_t uid) // return > > isroot(uid) || uid == geteuid > > os::Posix::matches_effective_group_id(gid_t gid) // return gid == getegid > > > > to os_posix.hpp/os_posix.cpp > > > > Other than that, the changes make sense. > > > > Kind Regards, Thomas > > > > > > > > > > On Thu, May 24, 2018 at 3:11 AM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > > > Please review the changes that fix JDK-8197387. > > > > > > There are 2 problems here: > > > 1. JVM ignores .attach_pid<pid> file if it is owned by the user different from the one that owns this JVM process > > > 2. jcmd checks that .java_pid<pid> socket is owned by the same user that runs jcmd and reports an error otherwise > > > > > > The fix relaxes these checks to allow jcmd started by "root" (UID = 0) access JVMs started by another users. > > > > > > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/ > > > > > > Best regards, > > > Daniil > > > > > > > > > > > > > > >
Thank you, Serguei! I updated the webrev with this minor change in the comment. Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.04 Issue: https://bugs.openjdk.java.net/browse/JDK-8197387 Best regards, Daniil From: "serguei.spitsyn@oracle.com" <serguei.spitsyn@oracle.com> Date: Thursday, May 31, 2018 at 10:33 AM To: Daniil Titov <daniil.x.titov@oracle.com>, Thomas Stüfe <thomas.stuefe@gmail.com>, "serviceability-dev@openjdk.java.net serviceability-dev@openjdk.java.net" <serviceability-dev@openjdk.java.net> Cc: <ppc-aix-port-dev@openjdk.java.net> Subject: Re: RFR 8197387: jcmd started by "root" must be allowed to access all VM processes Hi Daniil, It looks good to me. A minor comment: http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/src/hotspot/os/posix/os... + // Returns true if given uid is effective uid or if given uid is root. + static bool matches_effective_uid_or_root(uid_t uid); What about to simplify the comment above? : // Returns true if given uid is effective or root uid. Thanks, Serguei On 5/30/18 12:08, Daniil Titov wrote: Thank you, Thomas, for verifying this! I checked over this email thread and believe I still need one more reviewer for this fix. Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ Issue: https://bugs.openjdk.java.net/browse/JDK-8197387 Best regards, Daniil On 5/30/18, 11:16 AM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: On Wed, May 30, 2018 at 7:27 PM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > Hi Thomas, > > Thank you for the review. Just in in case I put an updated webrev with suggested changes at http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ . > > I am also including ppc-aix-port-dev@openjdk.java.net mail list since the changes affect AIX native code. I did these AIX changes myself and I need to get them verified before the push. > > May I ask someone who has access to an AIX machine try this patch to ensure that AIX build is fine? > AIX builds fine. Thanks, Thomas > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.03/ > Issue: https://bugs.openjdk.java.net/browse/JDK-8197387 > > Thanks a lot! > > Best regards, > Daniil > > On 5/29/18, 9:54 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: > > Hi Daniil, > > Looks fine. Small nits: > > - please add short comments to os_posix.hpp on the new prototypes. At > least on matches_effective_uid_and_gid_or_root: > e.g. // Returns true if either given uid is effective uid and given > gid is effective gid, or if given uid is root. > > - src/hotspot/os/posix/os_posix.cpp: > > +bool os::Posix::matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid) { > + return is_root(uid) || ( geteuid() == uid && getegid() == gid); > +} > + > please remove extra space before geteuid() > > If you change above points, I do not need another webrev. Reviewed. > > -- > > Btw: I wonder why we find it necessary in the hotspot to check for > both uid AND gid to match effective uid and effective gid? Seems > strange. But since this logic is not touched by your change, your > change is okay. > > Best Regards, Thomas > > > > On Tue, May 29, 2018 at 11:33 PM, Daniil Titov > <daniil.x.titov@oracle.com> wrote: > > Hi Thomas, > > > > Please review a new version of the fix that includes the changes suggested. > > > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.02/ > > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > > > Thank you, > > Daniil > > > > > > On 5/24/18, 10:51 PM, "Thomas Stüfe" <thomas.stuefe@gmail.com> wrote: > > > > Hi Daniil, > > > > here is my review: > > > > - Like Roger I would prefer to have the uid checks factored out. At > > least for the hotspot coding, I do not know where to put it in jdk > > coding. For the hotspot parts, I would add something like: > > > > os::Posix::is_root(uid_t uid) ; > > os::Posix::matches_effective_uid_or_root(uid_t uid) // return > > isroot(uid) || uid == geteuid > > os::Posix::matches_effective_group_id(gid_t gid) // return gid == getegid > > > > to os_posix.hpp/os_posix.cpp > > > > Other than that, the changes make sense. > > > > Kind Regards, Thomas > > > > > > > > > > On Thu, May 24, 2018 at 3:11 AM, Daniil Titov <daniil.x.titov@oracle.com> wrote: > > > Please review the changes that fix JDK-8197387. > > > > > > There are 2 problems here: > > > 1. JVM ignores .attach_pid<pid> file if it is owned by the user different from the one that owns this JVM process > > > 2. jcmd checks that .java_pid<pid> socket is owned by the same user that runs jcmd and reports an error otherwise > > > > > > The fix relaxes these checks to allow jcmd started by "root" (UID = 0) access JVMs started by another users. > > > > > > Bug: https://bugs.openjdk.java.net/browse/JDK-8197387 > > > Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/ > > > > > > Best regards, > > > Daniil > > > > > > > > > > > > > > >
participants (3)
-
Daniil Titov
-
serguei.spitsyn@oracle.com
-
Thomas Stüfe