RFR 8197387: jcmd started by "root" must be allowed to access all VM processes

David Holmes david.holmes at oracle.com
Fri May 25 01:49:01 UTC 2018 

Hi Daniil,

All good points. All this (and other) discussion/justification should be 
captured in the bug report - preferably before the RFR.

BTW I did not review the code.

Thanks,
David

On 25/05/2018 4:25 AM, Daniil Titov wrote:
> Hi David,
> 
> In addition to what Thomas said I just wanted to mention that currently jcmd started with elevated privileges ("sudo jcmd") already lists all VM processes running on the host machine and the assumption is that every process in this list could be used by jcmd for further communication (e.g. "sudo jcmd <PID> help"). However, jcmd fails to connect to VMs from the list "sudo jcmd" returns if VM process was started by another user.  These changes were supposed to fix this inconsistency in jcmd behavior.
> 
> Best regards,
> Daniil
> 
> 
> On 5/23/18, 9:55 PM, "Thomas Stüfe" <thomas.stuefe at gmail.com> wrote:
> 
>      Hi Daniil, David,
>      
>      I think this fix makes a lot of sense.
>      
>      First off, contacting a VM with foreign jcmd should not cause the VM
>      to sputter out thread dumps, nor should jcmd hang and timeout after 10
>      seconds (which it does). So I'd consider that a bug in any case.
>      
>      If the desired behavior is really that root shall not see and/or be
>      able to contact VMs started from a different UID, then this should be
>      handled gracefully and fast.
>      
>      However, I think we want jcmd started by root to see all processes and
>      be able to contact all processes. It is not a security issue, we
>      agree, yes? Since we are root anyway and can su to be everyone, it
>      would be security-by-inconvenience :)
>      
>      So the only reason one would want to prevent root from seeing other
>      user's processes is because one wants to see only root's processes.
>      Like in a scenario where tons of processes run on a machine, only some
>      of them root. But in my experience, this is not a common scenario. It
>      is way more common (and expected behavior) to want to see everything
>      as root.
>      
>      We have a very similar tool in our port (which may slowly phase out in
>      favour of jcmd), and that tool behaves just like that: when root, you
>      see everything and can contact everyone. Our support people need that
>      too.
>      
>      Just my 5 cent.
>      
>      Thanks, Thomas
>      
>      
>      
>      On Thu, May 24, 2018 at 4:53 AM, David Holmes <david.holmes at oracle.com> wrote:
>      > Hi Daniil,
>      >
>      > I'm not sure I can accept on face-value the proposition that root "must be
>      > allowed to access all VM processes". I can see it may be convenient in some
>      > cases. But is it really necessary? Is it always desirable? I'd like to know
>      > what a sys admin might think of this. :)
>      >
>      > Further root can always "su" to another user and run jcmd that way.
>      >
>      > Cheers,
>      > David
>      >
>      >
>      > On 24/05/2018 11:11 AM, Daniil Titov wrote:
>      >>
>      >> Please review the changes that fix JDK-8197387.
>      >>
>      >> There are 2 problems here:
>      >> 1. JVM ignores  .attach_pid<pid> file if it is owned by the user different
>      >> from the one that owns this JVM process
>      >> 2. jcmd checks that .java_pid<pid> socket is owned by the same user that
>      >> runs jcmd and reports an error otherwise
>      >>
>      >> The fix relaxes these checks to allow jcmd started by  "root"  (UID = 0)
>      >> access JVMs started by another users.
>      >>
>      >> Bug: https://bugs.openjdk.java.net/browse/JDK-8197387
>      >> Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/
>      >>
>      >> Best regards,
>      >> Daniil
>      >>
>      >>
>      >
>      
> 
>

More information about the serviceability-dev mailing list