[ 
https://issues.apache.org/jira/browse/DAEMON-318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15575115#comment-15575115
 ] 

Wil Evers commented on DAEMON-318:
----------------------------------

Any movement here? This issue is not just causing annoyance for users; a daemon 
process with an unexpected umask is a potential security issue.

> children (controller) process doesnt use correct umask value
> ------------------------------------------------------------
>
>                 Key: DAEMON-318
>                 URL: https://issues.apache.org/jira/browse/DAEMON-318
>             Project: Commons Daemon
>          Issue Type: Bug
>          Components: Jsvc
>    Affects Versions: 1.0.15
>         Environment: Centos 6.5: 
> Linux staging 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 
> x86_64 x86_64 x86_64 GNU/Linux
> Java 7:
> java version "1.7.0_55"
> OpenJDK Runtime Environment (rhel-2.4.7.1.el6_5-x86_64 u55-b13)
> OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
> selinux enabled
> tomcat 7.0.54
> jsvc compiled from tar.gz in /bin
> build tools from distribution
> starting tomcat via daemon.sh start
> setenv.sh:
> {noformat}
> #!/bin/sh
> JSVC_OPTS="-umask 002"
> CATALINA_OPTS="$CATALINA_OPTS -server -Xms512m -Xmx1024m -XX:MaxPermSize=512m 
> -Djava.awt.headless=true"
> export CATALINA_OPTS
> export JSVC_OPTS
> {noformat}
>            Reporter: Tiago Oliveira
>            Priority: Minor
>         Attachments: UmaskBugReproducer.java, umask.patch
>
>
> Expected behavior:
> after issuing -umask 002 to JSVC (with -tomcat-user != root, e.g. "tomcat"), 
> child process (controller) have umask = 2
> Actual behavior:
> root process have umask = 2
> child process have umask = 18
> After runing daemon start:
> {noformat}
> NOTICE: jsvc umask of 002 allows write permission to group and/or other
> {noformat}
> Running instances:
> {noformat}
> # ps aux | grep jsvc
> root     11410  0.0  0.0  10436   480 ?        Ss   09:30   0:00 jsvc.exec 
> -umask 002 -java-home /usr/lib/jvm/java-1.7.0 -user tomcat -pidfile 
> /opt/apache/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile 
> /opt/apache/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath 
> /opt/apache/tomcat7/bin/bootstrap.jar:/opt/apache/tomcat7/bin/commons-daemon.jar:/opt/apache/tomcat7/bin/tomcat-juli.jar
>  -Djava.util.logging.config.file=/opt/apache/tomcat7/conf/logging.properties 
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server 
> -Xms512m -Xmx1024m -XX:MaxPermSize=512m -Djava.awt.headless=true 
> -Djava.endorsed.dirs= -Dcatalina.base=/opt/apache/tomcat7 
> -Dcatalina.home=/opt/apache/tomcat7 -Djava.io.tmpdir=/opt/apache/tomcat7/temp 
> org.apache.catalina.startup.Bootstrap
> tomcat   11411 89.9 26.7 3919288 1048692 ?     Sl   09:30   1:24 jsvc.exec 
> -umask 002 -java-home /usr/lib/jvm/java-1.7.0 -user tomcat -pidfile 
> /opt/apache/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile 
> /opt/apache/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath 
> /opt/apache/tomcat7/bin/bootstrap.jar:/opt/apache/tomcat7/bin/commons-daemon.jar:/opt/apache/tomcat7/bin/tomcat-juli.jar
>  -Djava.util.logging.config.file=/opt/apache/tomcat7/conf/logging.properties 
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server 
> -Xms512m -Xmx1024m -XX:MaxPermSize=512m -Djava.awt.headless=true 
> -Djava.endorsed.dirs= -Dcatalina.base=/opt/apache/tomcat7 
> -Dcatalina.home=/opt/apache/tomcat7 -Djava.io.tmpdir=/opt/apache/tomcat7/temp 
> org.apache.catalina.startup.Bootstrap
> {noformat}
> GDB output:
> {noformat}
> # gdb --pid=11410
> GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
> Copyright (C) 2010 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Attaching to process 11410
> Reading symbols from 
> /opt/apache/apache-tomcat-7.0.54/bin/commons-daemon-1.0.15-native-src/unix/jsvc...done.
> Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libdl.so.2
> Reading symbols from /lib64/libpthread.so.0...(no debugging symbols 
> found)...done.
> [Thread debugging using libthread_db enabled]
> Loaded symbols for /lib64/libpthread.so.0
> Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libc.so.6
> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libnss_files.so.2
> 0x00007fe71666e26e in waitpid () from /lib64/libpthread.so.0
> Missing separate debuginfos, use: debuginfo-install 
> glibc-2.12-1.132.el6_5.2.x86_64
> (gdb) call umask(0)
> $1 = 2
> (gdb) call umask(2)
> $2 = 0
> (gdb) quit
> A debugging session is active.
> # gdb --pid=11411
> GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
> Copyright (C) 2010 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Attaching to process 11411
> Reading symbols from 
> /opt/apache/apache-tomcat-7.0.54/bin/commons-daemon-1.0.15-native-src/unix/jsvc...done.
> Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libdl.so.2
> Reading symbols from /lib64/libpthread.so.0...(no debugging symbols 
> found)...done.
> [New LWP 11531]
> [New LWP 11530]
> [New LWP 11529]
> [New LWP 11528]
> [New LWP 11527]
> [New LWP 11523]
> [New LWP 11522]
> [New LWP 11521]
> [New LWP 11520]
> [New LWP 11519]
> [New LWP 11515]
> [New LWP 11514]
> [New LWP 11513]
> [New LWP 11512]
> [New LWP 11511]
> [New LWP 11506]
> [New LWP 11505]
> [New LWP 11504]
> [New LWP 11503]
> [New LWP 11502]
> [New LWP 11498]
> [New LWP 11497]
> [New LWP 11496]
> [New LWP 11495]
> [New LWP 11494]
> [New LWP 11493]
> [New LWP 11492]
> [New LWP 11491]
> [New LWP 11481]
> [New LWP 11480]
> [New LWP 11479]
> [New LWP 11478]
> [New LWP 11477]
> [New LWP 11476]
> [New LWP 11475]
> [New LWP 11474]
> [New LWP 11473]
> [New LWP 11471]
> [New LWP 11470]
> [New LWP 11469]
> [New LWP 11468]
> [New LWP 11467]
> [New LWP 11466]
> [New LWP 11465]
> [New LWP 11464]
> [New LWP 11463]
> [New LWP 11462]
> [New LWP 11461]
> [New LWP 11460]
> [New LWP 11459]
> [New LWP 11458]
> [New LWP 11449]
> [New LWP 11448]
> [New LWP 11446]
> [New LWP 11445]
> [New LWP 11444]
> [New LWP 11443]
> [New LWP 11442]
> [New LWP 11441]
> [New LWP 11440]
> [New LWP 11439]
> [New LWP 11438]
> [New LWP 11437]
> [New LWP 11436]
> [New LWP 11435]
> [New LWP 11431]
> [New LWP 11430]
> [New LWP 11429]
> [New LWP 11428]
> [New LWP 11427]
> [New LWP 11424]
> [New LWP 11423]
> [New LWP 11422]
> [New LWP 11421]
> [New LWP 11420]
> [New LWP 11419]
> [New LWP 11418]
> [New LWP 11417]
> [New LWP 11416]
> [New LWP 11415]
> [New LWP 11414]
> [New LWP 11413]
> [New LWP 11412]
> [Thread debugging using libthread_db enabled]
> Loaded symbols for /lib64/libpthread.so.0
> Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libc.so.6
> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libnss_files.so.2
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0/jre/lib/amd64/server/libjvm.so...(no debugging 
> symbols found)...done.
> Loaded symbols for /usr/lib/jvm/java-1.7.0/jre/lib/amd64/server/libjvm.so
> Reading symbols from /usr/lib64/libstdc++.so.6...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libstdc++.so.6
> Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libm.so.6
> Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libgcc_s.so.1
> Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done.
> Loaded symbols for /lib64/librt.so.1
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libverify.so...(no
>  debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libverify.so
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libjava.so...(no
>  debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libjava.so
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libzip.so...(no 
> debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libzip.so
> Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libz.so.1
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libnio.so...(no 
> debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libnio.so
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libnet.so...(no 
> debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libnet.so
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libmanagement.so...(no
>  debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libmanagement.so
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libj2pkcs11.so...(no
>  debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libj2pkcs11.so
> Reading symbols from /usr/lib64/libnss3.so...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libnss3.so
> Reading symbols from /usr/lib64/libnssutil3.so...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libnssutil3.so
> Reading symbols from /lib64/libplc4.so...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libplc4.so
> Reading symbols from /lib64/libplds4.so...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libplds4.so
> Reading symbols from /lib64/libnspr4.so...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libnspr4.so
> Reading symbols from /usr/lib64/libsoftokn3.so...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libsoftokn3.so
> Reading symbols from /usr/lib64/libsqlite3.so.0...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libsqlite3.so.0
> Reading symbols from /usr/lib64/libfreebl3.so...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libfreebl3.so
> Reading symbols from /lib64/libnss_dns.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libnss_dns.so.2
> Reading symbols from /lib64/libresolv.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libresolv.so.2
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libawt.so...(no 
> debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libawt.so
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/headless/libmawt.so...(no
>  debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/headless/libmawt.so
> Reading symbols from 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libfontmanager.so...(no
>  debugging symbols found)...done.
> Loaded symbols for 
> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/amd64/libfontmanager.so
> Reading symbols from /usr/lib64/libfreetype.so.6...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libfreetype.so.6
> Reading symbols from 
> /opt/apache/apache-tomcat-7.0.54/temp/jna/jna3638365466690122373.tmp...done.
> Loaded symbols for 
> /opt/apache/apache-tomcat-7.0.54/temp/jna/jna3638365466690122373.tmp
> 0x00007fe716377ced in nanosleep () from /lib64/libc.so.6
> Missing separate debuginfos, use: debuginfo-install 
> freetype-2.3.11-14.el6_3.1.x86_64 glibc-2.12-1.132.el6_5.2.x86_64 
> java-1.7.0-openjdk-1.7.0.55-2.4.7.1.el6_5.x86_64 libgcc-4.4.7-4.el6.x86_64 
> libstdc++-4.4.7-4.el6.x86_64 nspr-4.10.2-1.el6_5.x86_64 
> nss-3.15.3-6.el6_5.x86_64 nss-softokn-3.14.3-10.el6_5.x86_64 
> nss-softokn-freebl-3.14.3-10.el6_5.x86_64 nss-util-3.15.3-1.el6_5.x86_64 
> sqlite-3.6.20-1.el6.x86_64 zlib-1.2.3-29.el6.x86_64
> (gdb) call umask(0)
> $1 = 18
> (gdb) call umask(18)
> $2 = 0
> (gdb) quit
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to