RFR 8197387: jcmd started by "root" must be allowed to access all VM processes

Thu May 24 13:35:00 UTC 2018

Hi,

- The incantations for identifying valid accesses occur enough times 
that it
    might be worth introducing a function to do the access check.

- With respect to "all processes" keep in mind that in containers like 
Ddocker, all may not really be all.
   Though I'm not sure that is worth a comment.

$.02, Roger


On 5/24/2018 12:54 AM, Thomas Stüfe wrote:
> Hi Daniil, David,
>
> I think this fix makes a lot of sense.
>
> First off, contacting a VM with foreign jcmd should not cause the VM
> to sputter out thread dumps, nor should jcmd hang and timeout after 10
> seconds (which it does). So I'd consider that a bug in any case.
>
> If the desired behavior is really that root shall not see and/or be
> able to contact VMs started from a different UID, then this should be
> handled gracefully and fast.
>
> However, I think we want jcmd started by root to see all processes and
> be able to contact all processes. It is not a security issue, we
> agree, yes? Since we are root anyway and can su to be everyone, it
> would be security-by-inconvenience :)
>
> So the only reason one would want to prevent root from seeing other
> user's processes is because one wants to see only root's processes.
> Like in a scenario where tons of processes run on a machine, only some
> of them root. But in my experience, this is not a common scenario. It
> is way more common (and expected behavior) to want to see everything
> as root.
>
> We have a very similar tool in our port (which may slowly phase out in
> favour of jcmd), and that tool behaves just like that: when root, you
> see everything and can contact everyone. Our support people need that
> too.
>
> Just my 5 cent.
>
> Thanks, Thomas
>
>
>
> On Thu, May 24, 2018 at 4:53 AM, David Holmes <david.holmes at oracle.com> wrote:
>> Hi Daniil,
>>
>> I'm not sure I can accept on face-value the proposition that root "must be
>> allowed to access all VM processes". I can see it may be convenient in some
>> cases. But is it really necessary? Is it always desirable? I'd like to know
>> what a sys admin might think of this. :)
>>
>> Further root can always "su" to another user and run jcmd that way.
>>
>> Cheers,
>> David
>>
>>
>> On 24/05/2018 11:11 AM, Daniil Titov wrote:
>>> Please review the changes that fix JDK-8197387.
>>>
>>> There are 2 problems here:
>>> 1. JVM ignores  .attach_pid<pid> file if it is owned by the user different
>>> from the one that owns this JVM process
>>> 2. jcmd checks that .java_pid<pid> socket is owned by the same user that
>>> runs jcmd and reports an error otherwise
>>>
>>> The fix relaxes these checks to allow jcmd started by  "root"  (UID = 0)
>>> access JVMs started by another users.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8197387
>>> Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/
>>>
>>> Best regards,
>>> Daniil
>>>
>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20180524/6bb3b403/attachment.html>