RFR 8197387: jcmd started by "root" must be allowed to access all VM processes

Thomas Stüfe thomas.stuefe at gmail.com
Thu May 24 04:54:58 UTC 2018 

Hi Daniil, David,

I think this fix makes a lot of sense.

First off, contacting a VM with foreign jcmd should not cause the VM
to sputter out thread dumps, nor should jcmd hang and timeout after 10
seconds (which it does). So I'd consider that a bug in any case.

If the desired behavior is really that root shall not see and/or be
able to contact VMs started from a different UID, then this should be
handled gracefully and fast.

However, I think we want jcmd started by root to see all processes and
be able to contact all processes. It is not a security issue, we
agree, yes? Since we are root anyway and can su to be everyone, it
would be security-by-inconvenience :)

So the only reason one would want to prevent root from seeing other
user's processes is because one wants to see only root's processes.
Like in a scenario where tons of processes run on a machine, only some
of them root. But in my experience, this is not a common scenario. It
is way more common (and expected behavior) to want to see everything
as root.

We have a very similar tool in our port (which may slowly phase out in
favour of jcmd), and that tool behaves just like that: when root, you
see everything and can contact everyone. Our support people need that
too.

Just my 5 cent.

Thanks, Thomas



On Thu, May 24, 2018 at 4:53 AM, David Holmes <david.holmes at oracle.com> wrote:
> Hi Daniil,
>
> I'm not sure I can accept on face-value the proposition that root "must be
> allowed to access all VM processes". I can see it may be convenient in some
> cases. But is it really necessary? Is it always desirable? I'd like to know
> what a sys admin might think of this. :)
>
> Further root can always "su" to another user and run jcmd that way.
>
> Cheers,
> David
>
>
> On 24/05/2018 11:11 AM, Daniil Titov wrote:
>>
>> Please review the changes that fix JDK-8197387.
>>
>> There are 2 problems here:
>> 1. JVM ignores  .attach_pid<pid> file if it is owned by the user different
>> from the one that owns this JVM process
>> 2. jcmd checks that .java_pid<pid> socket is owned by the same user that
>> runs jcmd and reports an error otherwise
>>
>> The fix relaxes these checks to allow jcmd started by  "root"  (UID = 0)
>> access JVMs started by another users.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8197387
>> Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/
>>
>> Best regards,
>> Daniil
>>
>>
>

More information about the serviceability-dev mailing list