From a2a5e851959e5040aca32110041663bb14659042 Mon Sep 17 00:00:00 2001 From: Daniil Titov Date: Thu, 31 May 2018 14:09:04 -0700 Subject: [PATCH] 8197387: jcmd started by "root" must be allowed to access all VM processes Reviewed-by: sspitsyn, stuefe --- src/hotspot/os/aix/attachListener_aix.cpp | 11 +++++------ src/hotspot/os/bsd/attachListener_bsd.cpp | 11 +++++------ src/hotspot/os/linux/attachListener_linux.cpp | 11 +++++------ src/hotspot/os/posix/os_posix.cpp | 14 ++++++++++++++ src/hotspot/os/posix/os_posix.hpp | 10 ++++++++++ src/hotspot/os/solaris/attachListener_solaris.cpp | 10 +++------- .../aix/native/libattach/VirtualMachineImpl.c | 6 ++++-- .../linux/native/libattach/VirtualMachineImpl.c | 6 ++++-- .../macosx/native/libattach/VirtualMachineImpl.c | 6 ++++-- .../solaris/native/libattach/VirtualMachineImpl.c | 6 ++++-- 10 files changed, 58 insertions(+), 33 deletions(-) diff --git a/src/hotspot/os/aix/attachListener_aix.cpp b/src/hotspot/os/aix/attachListener_aix.cpp index b738d328f3e..18c7f574653 100644 --- a/src/hotspot/os/aix/attachListener_aix.cpp +++ b/src/hotspot/os/aix/attachListener_aix.cpp @@ -386,11 +386,10 @@ AixAttachOperation* AixAttachListener::dequeue() { ::close(s); continue; } - uid_t euid = geteuid(); - gid_t egid = getegid(); - if (cred_info.euid != euid || cred_info.egid != egid) { - log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", cred_info.euid, cred_info.egid, euid, egid); + if (!os::Posix::matches_effective_uid_and_gid_or_root(cred_info.euid, cred_info.egid)) { + log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", + cred_info.euid, cred_info.egid, geteuid(), getegid()); ::close(s); continue; } @@ -548,8 +547,8 @@ bool AttachListener::is_init_trigger() { } if (ret == 0) { // simple check to avoid starting the attach mechanism when - // a bogus user creates the file - if (st.st_uid == geteuid()) { + // a bogus non-root user creates the file + if (os::Posix::matches_effective_uid_or_root(st.st_uid)) { init(); log_trace(attach)("Attach triggered by %s", fn); return true; diff --git a/src/hotspot/os/bsd/attachListener_bsd.cpp b/src/hotspot/os/bsd/attachListener_bsd.cpp index 12c097631ee..503a4d72a30 100644 --- a/src/hotspot/os/bsd/attachListener_bsd.cpp +++ b/src/hotspot/os/bsd/attachListener_bsd.cpp @@ -357,11 +357,10 @@ BsdAttachOperation* BsdAttachListener::dequeue() { ::close(s); continue; } - uid_t euid = geteuid(); - gid_t egid = getegid(); - if (puid != euid || pgid != egid) { - log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", puid, pgid, euid, egid); + if (!os::Posix::matches_effective_uid_and_gid_or_root(puid, pgid)) { + log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", puid, pgid, + geteuid(), getegid()); ::close(s); continue; } @@ -513,8 +512,8 @@ bool AttachListener::is_init_trigger() { } if (ret == 0) { // simple check to avoid starting the attach mechanism when - // a bogus user creates the file - if (st.st_uid == geteuid()) { + // a bogus non-root user creates the file + if (os::Posix::matches_effective_uid_or_root(st.st_uid)) { init(); log_trace(attach)("Attach triggered by %s", fn); return true; diff --git a/src/hotspot/os/linux/attachListener_linux.cpp b/src/hotspot/os/linux/attachListener_linux.cpp index 93ae6ab58ea..d79bd1bac85 100644 --- a/src/hotspot/os/linux/attachListener_linux.cpp +++ b/src/hotspot/os/linux/attachListener_linux.cpp @@ -357,11 +357,10 @@ LinuxAttachOperation* LinuxAttachListener::dequeue() { ::close(s); continue; } - uid_t euid = geteuid(); - gid_t egid = getegid(); - if (cred_info.uid != euid || cred_info.gid != egid) { - log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", cred_info.uid, cred_info.gid, euid, egid); + if (!os::Posix::matches_effective_uid_and_gid_or_root(cred_info.uid, cred_info.gid)) { + log_debug(attach)("euid/egid check failed (%d/%d vs %d/%d)", + cred_info.uid, cred_info.gid, geteuid(), getegid()); ::close(s); continue; } @@ -518,8 +517,8 @@ bool AttachListener::is_init_trigger() { } if (ret == 0) { // simple check to avoid starting the attach mechanism when - // a bogus user creates the file - if (st.st_uid == geteuid()) { + // a bogus non-root user creates the file + if (os::Posix::matches_effective_uid_or_root(st.st_uid)) { init(); log_trace(attach)("Attach triggered by %s", fn); return true; diff --git a/src/hotspot/os/posix/os_posix.cpp b/src/hotspot/os/posix/os_posix.cpp index 623a0e39404..074499a16d3 100644 --- a/src/hotspot/os/posix/os_posix.cpp +++ b/src/hotspot/os/posix/os_posix.cpp @@ -51,6 +51,8 @@ #endif #define IS_VALID_PID(p) (p > 0 && p < MAX_PID) +#define ROOT_UID 0 + #ifndef MAP_ANONYMOUS #define MAP_ANONYMOUS MAP_ANON #endif @@ -1454,6 +1456,18 @@ size_t os::Posix::get_initial_stack_size(ThreadType thr_type, size_t req_stack_s return stack_size; } +bool os::Posix::is_root(uid_t uid){ + return ROOT_UID == uid; +} + +bool os::Posix::matches_effective_uid_or_root(uid_t uid) { + return is_root(uid) || geteuid() == uid; +} + +bool os::Posix::matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid) { + return is_root(uid) || (geteuid() == uid && getegid() == gid); +} + Thread* os::ThreadCrashProtection::_protected_thread = NULL; os::ThreadCrashProtection* os::ThreadCrashProtection::_crash_protection = NULL; volatile intptr_t os::ThreadCrashProtection::_crash_mux = 0; diff --git a/src/hotspot/os/posix/os_posix.hpp b/src/hotspot/os/posix/os_posix.hpp index 7ce25c2a616..ef6f4b6b1bd 100644 --- a/src/hotspot/os/posix/os_posix.hpp +++ b/src/hotspot/os/posix/os_posix.hpp @@ -106,6 +106,16 @@ public: // On error, it will return NULL and set errno. The content of 'outbuf' is undefined. // On truncation error ('outbuf' too small), it will return NULL and set errno to ENAMETOOLONG. static char* realpath(const char* filename, char* outbuf, size_t outbuflen); + + // Returns true if given uid is root. + static bool is_root(uid_t uid); + + // Returns true if given uid is effective or root uid. + static bool matches_effective_uid_or_root(uid_t uid); + + // Returns true if either given uid is effective uid and given gid is + // effective gid, or if given uid is root. + static bool matches_effective_uid_and_gid_or_root(uid_t uid, gid_t gid); }; // On POSIX platforms the signal handler is global so we just do the write. diff --git a/src/hotspot/os/solaris/attachListener_solaris.cpp b/src/hotspot/os/solaris/attachListener_solaris.cpp index 521d5e7c686..3f1a68a7122 100644 --- a/src/hotspot/os/solaris/attachListener_solaris.cpp +++ b/src/hotspot/os/solaris/attachListener_solaris.cpp @@ -213,16 +213,12 @@ static int check_credentials() { return -1; // unable to get them, deny } - // get our euid/eguid (probably could cache these) - uid_t euid = geteuid(); - gid_t egid = getegid(); - // get euid/egid from ucred_free uid_t ucred_euid = ucred_geteuid(cred_info); gid_t ucred_egid = ucred_getegid(cred_info); // check that the effective uid/gid matches - if (ucred_euid == euid && ucred_egid == egid) { + if (os::Posix::matches_effective_uid_and_gid_or_root(ucred_euid, ucred_egid)) { ret = 0; // allow } @@ -664,8 +660,8 @@ bool AttachListener::is_init_trigger() { } if (ret == 0) { // simple check to avoid starting the attach mechanism when - // a bogus user creates the file - if (st.st_uid == geteuid()) { + // a bogus non-root user creates the file + if (os::Posix::matches_effective_uid_or_root(st.st_uid)) { init(); log_trace(attach)("Attach triggered by %s", fn); return true; diff --git a/src/jdk.attach/aix/native/libattach/VirtualMachineImpl.c b/src/jdk.attach/aix/native/libattach/VirtualMachineImpl.c index 705ec9a06ed..c181b95da51 100644 --- a/src/jdk.attach/aix/native/libattach/VirtualMachineImpl.c +++ b/src/jdk.attach/aix/native/libattach/VirtualMachineImpl.c @@ -46,6 +46,8 @@ } while(0) +#define ROOT_UID 0 + /* * Class: sun_tools_attach_VirtualMachineImpl * Method: socket @@ -153,11 +155,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_checkPermissions if (res == 0) { char msg[100]; jboolean isError = JNI_FALSE; - if (sb.st_uid != uid) { + if (sb.st_uid != uid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid); isError = JNI_TRUE; - } else if (sb.st_gid != gid) { + } else if (sb.st_gid != gid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid); isError = JNI_TRUE; diff --git a/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c b/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c index a6cdf0a67ea..c96a45d8fd7 100644 --- a/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c +++ b/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c @@ -44,6 +44,8 @@ } while((_result == -1) && (errno == EINTR)); \ } while(0) +#define ROOT_UID 0 + /* * Declare library specific JNI_Onload entry if static build */ @@ -156,11 +158,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_checkPermissions if (res == 0) { char msg[100]; jboolean isError = JNI_FALSE; - if (sb.st_uid != uid) { + if (sb.st_uid != uid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid); isError = JNI_TRUE; - } else if (sb.st_gid != gid) { + } else if (sb.st_gid != gid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid); isError = JNI_TRUE; diff --git a/src/jdk.attach/macosx/native/libattach/VirtualMachineImpl.c b/src/jdk.attach/macosx/native/libattach/VirtualMachineImpl.c index 02a214691b0..e265a046fdc 100644 --- a/src/jdk.attach/macosx/native/libattach/VirtualMachineImpl.c +++ b/src/jdk.attach/macosx/native/libattach/VirtualMachineImpl.c @@ -46,6 +46,8 @@ } while((_result == -1) && (errno == EINTR)); \ } while(0) +#define ROOT_UID 0 + /* * Declare library specific JNI_Onload entry if static build */ @@ -158,11 +160,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_checkPermissions if (res == 0) { char msg[100]; jboolean isError = JNI_FALSE; - if (sb.st_uid != uid) { + if (sb.st_uid != uid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid); isError = JNI_TRUE; - } else if (sb.st_gid != gid) { + } else if (sb.st_gid != gid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid); isError = JNI_TRUE; diff --git a/src/jdk.attach/solaris/native/libattach/VirtualMachineImpl.c b/src/jdk.attach/solaris/native/libattach/VirtualMachineImpl.c index 67164a517bd..e6ae3f9761c 100644 --- a/src/jdk.attach/solaris/native/libattach/VirtualMachineImpl.c +++ b/src/jdk.attach/solaris/native/libattach/VirtualMachineImpl.c @@ -38,6 +38,8 @@ #include "sun_tools_attach_VirtualMachineImpl.h" +#define ROOT_UID 0 + #define RESTARTABLE(_cmd, _result) do { \ do { \ _result = _cmd; \ @@ -122,11 +124,11 @@ JNIEXPORT void JNICALL Java_sun_tools_attach_VirtualMachineImpl_checkPermissions if (res == 0) { char msg[100]; jboolean isError = JNI_FALSE; - if (sb.st_uid != uid) { + if (sb.st_uid != uid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file should be owned by the current user (which is %d) but is owned by %d", uid, sb.st_uid); isError = JNI_TRUE; - } else if (sb.st_gid != gid) { + } else if (sb.st_gid != gid && uid != ROOT_UID) { snprintf(msg, sizeof(msg), "file's group should be the current group (which is %d) but the group is %d", gid, sb.st_gid); isError = JNI_TRUE;