RFR 8197387: jcmd started by "root" must be allowed to access all VM processes

Daniil Titov daniil.x.titov at oracle.com
Thu May 24 18:25:30 UTC 2018 

Hi David,

In addition to what Thomas said I just wanted to mention that currently jcmd started with elevated privileges ("sudo jcmd") already lists all VM processes running on the host machine and the assumption is that every process in this list could be used by jcmd for further communication (e.g. "sudo jcmd <PID> help"). However, jcmd fails to connect to VMs from the list "sudo jcmd" returns if VM process was started by another user.  These changes were supposed to fix this inconsistency in jcmd behavior.

Best regards,
Daniil


On 5/23/18, 9:55 PM, "Thomas Stüfe" <thomas.stuefe at gmail.com> wrote:

    Hi Daniil, David,
    
    I think this fix makes a lot of sense.
    
    First off, contacting a VM with foreign jcmd should not cause the VM
    to sputter out thread dumps, nor should jcmd hang and timeout after 10
    seconds (which it does). So I'd consider that a bug in any case.
    
    If the desired behavior is really that root shall not see and/or be
    able to contact VMs started from a different UID, then this should be
    handled gracefully and fast.
    
    However, I think we want jcmd started by root to see all processes and
    be able to contact all processes. It is not a security issue, we
    agree, yes? Since we are root anyway and can su to be everyone, it
    would be security-by-inconvenience :)
    
    So the only reason one would want to prevent root from seeing other
    user's processes is because one wants to see only root's processes.
    Like in a scenario where tons of processes run on a machine, only some
    of them root. But in my experience, this is not a common scenario. It
    is way more common (and expected behavior) to want to see everything
    as root.
    
    We have a very similar tool in our port (which may slowly phase out in
    favour of jcmd), and that tool behaves just like that: when root, you
    see everything and can contact everyone. Our support people need that
    too.
    
    Just my 5 cent.
    
    Thanks, Thomas
    
    
    
    On Thu, May 24, 2018 at 4:53 AM, David Holmes <david.holmes at oracle.com> wrote:
    > Hi Daniil,
    >
    > I'm not sure I can accept on face-value the proposition that root "must be
    > allowed to access all VM processes". I can see it may be convenient in some
    > cases. But is it really necessary? Is it always desirable? I'd like to know
    > what a sys admin might think of this. :)
    >
    > Further root can always "su" to another user and run jcmd that way.
    >
    > Cheers,
    > David
    >
    >
    > On 24/05/2018 11:11 AM, Daniil Titov wrote:
    >>
    >> Please review the changes that fix JDK-8197387.
    >>
    >> There are 2 problems here:
    >> 1. JVM ignores  .attach_pid<pid> file if it is owned by the user different
    >> from the one that owns this JVM process
    >> 2. jcmd checks that .java_pid<pid> socket is owned by the same user that
    >> runs jcmd and reports an error otherwise
    >>
    >> The fix relaxes these checks to allow jcmd started by  "root"  (UID = 0)
    >> access JVMs started by another users.
    >>
    >> Bug: https://bugs.openjdk.java.net/browse/JDK-8197387
    >> Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/
    >>
    >> Best regards,
    >> Daniil
    >>
    >>
    >

More information about the serviceability-dev mailing list