Hi,
- The incantations for identifying valid accesses occur enough times
that it
might be worth introducing a function to do the access check.
- With respect to "all processes" keep in mind that in containers like
Ddocker, all may not really be all.
Though I'm not sure that is worth a comment.
$.02, Roger
On 5/24/2018 12:54 AM, Thomas Stüfe wrote:
Hi Daniil, David,
I think this fix makes a lot of sense.
First off, contacting a VM with foreign jcmd should not cause the VM
to sputter out thread dumps, nor should jcmd hang and timeout after 10
seconds (which it does). So I'd consider that a bug in any case.
If the desired behavior is really that root shall not see and/or be
able to contact VMs started from a different UID, then this should be
handled gracefully and fast.
However, I think we want jcmd started by root to see all processes and
be able to contact all processes. It is not a security issue, we
agree, yes? Since we are root anyway and can su to be everyone, it
would be security-by-inconvenience :)
So the only reason one would want to prevent root from seeing other
user's processes is because one wants to see only root's processes.
Like in a scenario where tons of processes run on a machine, only some
of them root. But in my experience, this is not a common scenario. It
is way more common (and expected behavior) to want to see everything
as root.
We have a very similar tool in our port (which may slowly phase out in
favour of jcmd), and that tool behaves just like that: when root, you
see everything and can contact everyone. Our support people need that
too.
Just my 5 cent.
Thanks, Thomas
On Thu, May 24, 2018 at 4:53 AM, David Holmes <david.hol...@oracle.com> wrote:
Hi Daniil,
I'm not sure I can accept on face-value the proposition that root "must be
allowed to access all VM processes". I can see it may be convenient in some
cases. But is it really necessary? Is it always desirable? I'd like to know
what a sys admin might think of this. :)
Further root can always "su" to another user and run jcmd that way.
Cheers,
David
On 24/05/2018 11:11 AM, Daniil Titov wrote:
Please review the changes that fix JDK-8197387.
There are 2 problems here:
1. JVM ignores .attach_pid<pid> file if it is owned by the user different
from the one that owns this JVM process
2. jcmd checks that .java_pid<pid> socket is owned by the same user that
runs jcmd and reports an error otherwise
The fix relaxes these checks to allow jcmd started by "root" (UID = 0)
access JVMs started by another users.
Bug: https://bugs.openjdk.java.net/browse/JDK-8197387
Webrev: http://cr.openjdk.java.net/~dtitov/8197387/webrev.01/
Best regards,
Daniil
