Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod From: Vladimir Petko Newsgroups: linux.debian.bugs.dist,linux.debian.maint.java Subject: Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater) Date: Wed, 19 Apr 2023 23:10:01 +0200 Message-ID: References: X-Mailbox-Line: From debian-bugs-dist-request@lists.debian.org Wed Apr 19 21:06:15 2023 Old-Return-Path: X-Spam-Flag: NO X-Spam-Score: -3.75 Reply-To: Vladimir Petko , 1034392@bugs.debian.org Resent-To: debian-bugs-dist@lists.debian.org Resent-Cc: Debian Java Maintainers X-Debian-Pr-Message: followup 1034392 X-Debian-Pr-Package: tomcat9 X-Debian-Pr-Source: tomcat9 X-Gm-Message-State: AAQBX9cMy6nXWnKYflj82/qEexP3Ln9PUE+7UKfWUV3+jUM7zxEvYwG5 RlLe8Kz5dIF+w744ITfwYdC8IT5AQoXMJdhaG5YhjCB3GQoFv/lghqHjpTvumLQSL2oVuiUw+V1 lTFueMGbu3MUBTLws4RRrEpJ4RvrTvkK/sVONvto/DFy3dMy3Ong= X-Received: by 2002:a81:18b:0:b0:54f:8a61:d859 with SMTP id 133-20020a81018b000000b0054f8a61d859mr9292502ywb.5.1681938228954; Wed, 19 Apr 2023 14:03:48 -0700 (PDT) X-Google-SMTP-Source: AKy350YdoRdcV2BbuFsj80hSdeAwNW4UCQXCR7+Q4omEa60GtwKxZX52IRpvafur/ztmqdxQhKGFKpHSP2DGIFhuu4c= X-Received: by 2002:a81:18b:0:b0:54f:8a61:d859 with SMTP id 133-20020a81018b000000b0054f8a61d859mr9292478ywb.5.1681938228630; Wed, 19 Apr 2023 14:03:48 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Debian-Message: from BTS X-Mailing-List: archive/latest/1768415 List-ID: List-URL: Approved: robomod@news.nic.it Lines: 70 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: Thorsten Glaser , 1034392@bugs.debian.org, debian-java@lists.debian.org, 1034600@bugs.debian.org, 1034601@bugs.debian.org X-Original-Date: Thu, 20 Apr 2023 09:03:37 +1200 X-Original-Message-ID: X-Original-References: <168145387946.21499.3939755694338228796.reportbug@plundberg-hiboxcentre.hibox.fi> <0b2f313a-8827-ab9e-96eb-4b19e502e68a@hibox.tv> <825ddc43-d5d9-9382-4d2b-813f43c444dd@tarent.de> <392bdb16-4674-408f-6b16-b39169d39513@hibox.tv> <168145387946.21499.3939755694338228796.reportbug@plundberg-hiboxcentre.hibox.fi> <392bdb16-4674-408f-6b16-b39169d39513@hibox.tv> Xref: csiph.com linux.debian.bugs.dist:1144432 linux.debian.maint.java:12630 Hi, Oh, thank you for providing a patch for a quite annoying bug!!!! Would it be possible to add a header to the patch, so that it is possible to see where it came from and why, e.g. -----------------------------------cut-------------------------------------= ------------------------------------- Description: attach in linux hangs due to permission denied accessing /proc/pid/root The attach API uses /proc/pid/root in order to support containers. Dereferencing this symlink is governed by ptrace access mode PTRACE_MODE_READ_FSCREDS which may not succeed when running as the user running the JRE. This breaks running jcmd and jmap as the same user the JVM is running as. Use tmpdir when pid matches ns_pid. Author: Sebastian Lovdahl Bug: https://bugs.openjdk.org/browse/JDK-8226919 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D1034601 Last-Update: 2023-04-18 -----------------------------------cut-------------------------------------= ------------------------------------- Best Regards, Vladimir. On Wed, Apr 19, 2023 at 9:57=E2=80=AFPM Per Lundberg wrote: > > On 2023-04-19 10:22, Thorsten Glaser wrote: > > On Tue, 18 Apr 2023, Per Lundberg wrote: > > > >> wanted to share it with you as well. One option would be to include th= is in > >> Debian's set of local JDK patches > > > > Shouldn=E2=80=99t this be added to 11 as well? Apparently, both are aff= ected. > > Good point. Yes, it should. > > > The OpenJDK (except for 8 which the ELTS people and I mostly work on) > > is not maintained by the debian-java people but by Doko. > > Hmm... who/what are Doko? > > > The usual way to hope for inclusion is to clone the bugreport, assign > > one to src:openjdk-11 and the other to src:openjdk-17, mail the patch > > with a description, add the tag patch and pray. > > Thanks for the detailed description! I have done exactly that now. Here > are the new bugs (added to the Cc line as well): > > - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D1034600 > - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D1034601 > > To those reading this who might not have the context: the patch attached > to the previous message in this thread fixes an issue with jstack/cmd > and similar tools not being able to connect to processes with Linux > capabilities added to them, when the processes are running as non-root. > This is a regression in the JDK: > https://bugs.openjdk.org/browse/JDK-8226919 > > The patch has been successfully tested on JDK 17 and works fine, > according to our testing. No guarantees are given as to whether it works > on JDK 11, but as long as it applies cleanly, it "should" be fine. > > Best regards, > Per >