On Sat, 16 May 2026 00:19:02 GMT, Ashay Rane <[email protected]> wrote:
> Prior to this patch, when `userOnly` was true, the conflicting "allow" > entry (for the owner) and "deny" entry (for groups that the owner is a > member of) resulted in the owner being denied access since the "deny" > entry takes precedence. This resulted in RmiBootstrapTest and > RmiSslNoKeyStoreTest tests failing with an "Access Denied" error. > > In reality, the "deny" entry is not required, since Windows grants > access only when an explicit "allow" entry matches the requesting > principal. So this patch fixes the ACLs so that when `userOnly` is > true, only the owner has "allow" access. Principals without a matching > "allow" entry are denied access, thus restricting access without risking > a group "deny" entry overriding the owner's access. > > This patch also fixes the case when `userOnly` is false so that it > doesn't inadvertently deny access when a principal didn't already have > an ACL entry for the file. > > --------- > - [x] I confirm that I make this contribution in accordance with the [OpenJDK > Interim AI Policy](https://openjdk.org/legal/ai). On the surface this looks okay, and is local and only impacts the tests in test/jdk/sun/management/jmxremote/bootstrap. The existing test code, to revoke access, has been there for many years so it's kinda surprising this is coming up now. (I'm in two minds as to whether JDK-8296718 was a good idea or not as this isn't as general purpose as it seems, it is very specific to the permissions for the jmxremote config). ------------- PR Comment: https://git.openjdk.org/jdk/pull/31179#issuecomment-4466207343
