RFR 8197387: jcmd started by "root" must be allowed to access all VM processes
Thomas Stüfe
thomas.stuefe at gmail.com
Fri May 25 05:51:46 UTC 2018
Hi Daniil,
here is my review:
- Like Roger I would prefer to have the uid checks factored out. At
least for the hotspot coding, I do not know where to put it in jdk
coding. For the hotspot parts, I would add something like:
os::Posix::is_root(uid_t uid) ;
os::Posix::matches_effective_uid_or_root(uid_t uid) // return
isroot(uid) || uid == geteuid
os::Posix::matches_effective_group_id(gid_t gid) // return gid == getegid
to os_posix.hpp/os_posix.cpp
Other than that, the changes make sense.
Kind Regards, Thomas
On Thu, May 24, 2018 at 3:11 AM, Daniil Titov <daniil.x.titov at oracle.com> wrote:
> Please review the changes that fix JDK-8197387.
>
> There are 2 problems here:
> 1. JVM ignores .attach_pid<pid> file if it is owned by the user different from the one that owns this JVM process
> 2. jcmd checks that .java_pid<pid> socket is owned by the same user that runs jcmd and reports an error otherwise
>
> The fix relaxes these checks to allow jcmd started by "root" (UID = 0) access JVMs started by another users.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8197387
> Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/
>
> Best regards,
> Daniil
>
>
More information about the serviceability-dev
mailing list