Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater)
Vladimir Petko
vladimir.petko at canonical.com
Wed Apr 19 22:03:37 BST 2023
Hi,
Oh, thank you for providing a patch for a quite annoying bug!!!!
Would it be possible to add a header to the patch, so that it is
possible to see where it came from and why, e.g.
-----------------------------------cut--------------------------------------------------------------------------
Description: attach in linux hangs due to permission denied accessing
/proc/pid/root
The attach API uses /proc/pid/root in order to support containers.
Dereferencing this symlink is governed by ptrace access mode
PTRACE_MODE_READ_FSCREDS
which may not succeed when running as the user running the JRE.
This breaks running jcmd and jmap as the same user the JVM is running as.
Use tmpdir when pid matches ns_pid.
Author: Sebastian Lovdahl <sebastian.lovdahl at hibox.tv>
Bug: https://bugs.openjdk.org/browse/JDK-8226919
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034601
Last-Update: 2023-04-18
-----------------------------------cut--------------------------------------------------------------------------
Best Regards,
Vladimir.
On Wed, Apr 19, 2023 at 9:57 PM Per Lundberg <per.lundberg at hibox.tv> wrote:
>
> On 2023-04-19 10:22, Thorsten Glaser wrote:
> > On Tue, 18 Apr 2023, Per Lundberg wrote:
> >
> >> wanted to share it with you as well. One option would be to include this in
> >> Debian's set of local JDK patches
> >
> > Shouldn’t this be added to 11 as well? Apparently, both are affected.
>
> Good point. Yes, it should.
>
> > The OpenJDK (except for 8 which the ELTS people and I mostly work on)
> > is not maintained by the debian-java people but by Doko.
>
> Hmm... who/what are Doko?
>
> > The usual way to hope for inclusion is to clone the bugreport, assign
> > one to src:openjdk-11 and the other to src:openjdk-17, mail the patch
> > with a description, add the tag patch and pray.
>
> Thanks for the detailed description! I have done exactly that now. Here
> are the new bugs (added to the Cc line as well):
>
> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034600
> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034601
>
> To those reading this who might not have the context: the patch attached
> to the previous message in this thread fixes an issue with jstack/cmd
> and similar tools not being able to connect to processes with Linux
> capabilities added to them, when the processes are running as non-root.
> This is a regression in the JDK:
> https://bugs.openjdk.org/browse/JDK-8226919
>
> The patch has been successfully tested on JDK 17 and works fine,
> according to our testing. No guarantees are given as to whether it works
> on JDK 11, but as long as it applies cleanly, it "should" be fine.
>
> Best regards,
> Per
>
More information about the pkg-java-maintainers
mailing list