'Re: [PATCH] JDK-8036559: Attach API does not allow root to connect to process owned by others'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-serviceability-dev
Subject:    Re: [PATCH] JDK-8036559: Attach API does not allow root to connect to process owned by others
From:       Elliott Baron <ebaron () redhat ! com>
Date:       2016-03-21 15:00:26
Message-ID: 56F00C8A.9010509 () redhat ! com
[Download RAW message or body]

Hi Dmitry,

On 17/03/16 04:58 AM, Dmitry Samersoff wrote:
> Elliott,
>
> I'll take care of the CR.
>
> But as soon as the changes have security implication we should carefully
> evaluate possible side effects. So it takes some time.
>
> -Dmitry
>

Thanks, let me know if there is anything I can do to help.

Elliott

>
> On 2016-03-17 00:27, Elliott Baron wrote:
>> Hi,
>>
>> I've been working on an updated patch for JDK-8036559, where root does
>> not have the ability to attach to unprivileged users' JVMs. I originally
>> mentioned this problem back in 2013, and proposed a patch only for Linux
>> [1]. The result was that the fix had to provide support for all affected
>> platforms, and to include tests.
>>
>> We worked around this issue in our project, but I revisited this bug
>> recently. I investigated the issue on Windows, which has a very
>> different implementation from the other platforms. I discovered that
>> this bug does not appear to affect Windows. Using the test programs
>> attached to Red Hat Bugzilla bug #1311638 [2], I verified the correct
>> behaviour using the following steps:
>>> (Open cmd.exe)
>>> runas /user:test cmd.exe
>>> runas /user:Administrator cmd.exe
>>>
>>> (In test's shell)
>>> set TMP=C:\Users\Public\java_temp
>>> cd C:\Users\Public\Documents
>>> javac AttachTarget.java
>>> java AttachTarget
>>>
>>> (In Administrator's shell)
>>> set TMP=C:\Users\Public\java_temp
>>> cd C:\Users\Public\Documents
>>> javac -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient.java
>>> java -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient
>>> (outputs 'Target ok: AttachTarget')
>> My updated patches target JDK 9, and includes support for Linux,
>> Solaris, Mac OSX, and AIX. As far as tests are concerned, I'm not sure
>> how to add tests for this bug, since doing so would require the test to
>> be run as root. I am attaching the patches to this email, since I am not
>> an OpenJDK committer and do not have access to cr.openjdk.java.net.
>>
>> Thanks,
>> Elliott
>>
>> [1]
>> http://mail.openjdk.java.net/pipermail/serviceability-dev/2013-June/010077.html
>>
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1311638
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic