Hi Dmitry,
On 17/03/16 04:58 AM, Dmitry Samersoff wrote:
Elliott,
I'll take care of the CR.
But as soon as the changes have security implication we should carefully
evaluate possible side effects. So it takes some time.
-Dmitry
Thanks, let me know if there is anything I can do to help.
Elliott
On 2016-03-17 00:27, Elliott Baron wrote:
Hi,
I've been working on an updated patch for JDK-8036559, where root does
not have the ability to attach to unprivileged users' JVMs. I originally
mentioned this problem back in 2013, and proposed a patch only for Linux
[1]. The result was that the fix had to provide support for all affected
platforms, and to include tests.
We worked around this issue in our project, but I revisited this bug
recently. I investigated the issue on Windows, which has a very
different implementation from the other platforms. I discovered that
this bug does not appear to affect Windows. Using the test programs
attached to Red Hat Bugzilla bug #1311638 [2], I verified the correct
behaviour using the following steps:
(Open cmd.exe)
runas /user:test cmd.exe
runas /user:Administrator cmd.exe
(In test's shell)
set TMP=C:\Users\Public\java_temp
cd C:\Users\Public\Documents
javac AttachTarget.java
java AttachTarget
(In Administrator's shell)
set TMP=C:\Users\Public\java_temp
cd C:\Users\Public\Documents
javac -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient.java
java -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient
(outputs 'Target ok: AttachTarget')
My updated patches target JDK 9, and includes support for Linux,
Solaris, Mac OSX, and AIX. As far as tests are concerned, I'm not sure
how to add tests for this bug, since doing so would require the test to
be run as root. I am attaching the patches to this email, since I am not
an OpenJDK committer and do not have access to cr.openjdk.java.net.
Thanks,
Elliott
[1]
http://mail.openjdk.java.net/pipermail/serviceability-dev/2013-June/010077.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1311638
