[PATCH] JDK-8036559: Attach API does not allow root to connect to process owned by others
Elliott Baron
ebaron at redhat.com
Wed Mar 16 21:27:24 UTC 2016
Hi,
I've been working on an updated patch for JDK-8036559, where root does
not have the ability to attach to unprivileged users' JVMs. I originally
mentioned this problem back in 2013, and proposed a patch only for Linux
[1]. The result was that the fix had to provide support for all affected
platforms, and to include tests.
We worked around this issue in our project, but I revisited this bug
recently. I investigated the issue on Windows, which has a very
different implementation from the other platforms. I discovered that
this bug does not appear to affect Windows. Using the test programs
attached to Red Hat Bugzilla bug #1311638 [2], I verified the correct
behaviour using the following steps:
> (Open cmd.exe)
> runas /user:test cmd.exe
> runas /user:Administrator cmd.exe
>
> (In test's shell)
> set TMP=C:\Users\Public\java_temp
> cd C:\Users\Public\Documents
> javac AttachTarget.java
> java AttachTarget
>
> (In Administrator's shell)
> set TMP=C:\Users\Public\java_temp
> cd C:\Users\Public\Documents
> javac -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient.java
> java -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient
> (outputs 'Target ok: AttachTarget')
My updated patches target JDK 9, and includes support for Linux,
Solaris, Mac OSX, and AIX. As far as tests are concerned, I'm not sure
how to add tests for this bug, since doing so would require the test to
be run as root. I am attaching the patches to this email, since I am not
an OpenJDK committer and do not have access to cr.openjdk.java.net.
Thanks,
Elliott
[1]
http://mail.openjdk.java.net/pipermail/serviceability-dev/2013-June/010077.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1311638
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdk-attach-root-v4.patch
Type: text/x-patch
Size: 5981 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20160316/0d45c723/jdk-attach-root-v4-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hotspot-attach-root-v4.patch
Type: text/x-patch
Size: 6183 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20160316/0d45c723/hotspot-attach-root-v4-0001.patch>
More information about the serviceability-dev
mailing list