You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Andy Isaacson (JIRA)" <ji...@apache.org> on 2012/05/24 03:57:41 UTC
[jira] [Commented] (DAEMON-120) Unable to open directory
/proc/self/fd
[ https://issues.apache.org/jira/browse/DAEMON-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13282114#comment-13282114 ]
Andy Isaacson commented on DAEMON-120:
--------------------------------------
Unfortunately the change in DAEMON-16 has two problems.
1. it has no effect on the client Java code, because it is overridden in jsvc-unix.c:child():
707 #ifdef OS_LINUX
708 if (args->user && set_caps(0) != 0) {
709 log_debug("set_caps (0) failed");
710 return 4;
711 }
2. if the Java code were allowed to run under CAP_DAC_READ_SEARCH, that would apparently allow the Java code to read *any* file on the host's filesystem. Including /etc/shadow and /etc/ssl/private/ssl-cert-apache.pem. This would rather defeat the point of "run the code as an unprivileged user".
The underlying problem is apparently a kernel bug of long standing (at least 2.6.18 - 3.4) where after setuid(2), processes are unable to read any of the private entries in /proc/self/. There's a special exception for /proc/self/fd/ implemented in linux/fs/proc/base.c:proc_fd_permission but it's broken for multithreaded processes.
> Unable to open directory /proc/self/fd
> --------------------------------------
>
> Key: DAEMON-120
> URL: https://issues.apache.org/jira/browse/DAEMON-120
> Project: Commons Daemon
> Issue Type: Bug
> Affects Versions: 1.0.1
> Environment: RHEL 5.2
> [Atlassian JIRA|http://www.atlassian.com/] 3.12.2 Enterprise standalone which comes with Tomcat 5.5.20
> [Zapcat JMX Zabbix Bridge|http://www.kjkoster.org/zapcat/Zapcat_JMX_Zabbix_Bridge.html] 1.2
> [Zabbix 1.4.5|http://www.zabbix.com/]
> Reporter: Ximon Eighteen
> Priority: Minor
> Fix For: 1.0.2
>
>
> Hi,
> I recently switched to using JSVC to run Tomcat and encountered a strange problem. I eventually found a workaround and only just remembered to raise the issue here.
> Everything was working fine until I switched over to JSVC. All the other components mentioned in the environment field above stayed the same, I just introduced JSVC by editing catalina.sh to invoke JSVC like so:
> {noformat}
> /usr/local/jsvc/jsvc \
> -user jira \
> -cp ./bin/bootstrap.jar \
> -outfile "$CATALINA_BASE/logs/catalina.out" \
> -errfile "$CATALINA_BASE/logs/catalina.err" \
> $JAVA_OPTS $CATALINA_OPTS \
> -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
> -Dcatalina.base="$CATALINA_BASE" \
> -Dcatalina.home="$CATALINA_HOME" \
> -Djava.io.tmpdir="$CATALINA_TMPDIR" \
> org.apache.catalina.startup.Bootstrap "$@" start
> {noformat}
> Once JIRA was running under JSVC I started seeing lots of these errors in the logs:
> {noformat}
> 20081103 140454,979 org.kjkoster.zapcat.zabbix.QueryHandler ERROR - dropping exception
> javax.management.RuntimeErrorException: java.lang.InternalError: errno: 13 error: Unable to open directory /proc/self/fd
> at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.rethrow(DefaultMBeanServerInterceptor.java:858)
> at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.rethrowMaybeMBeanException(DefaultMBeanServerInterceptor.java:869)
> at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:670)
> at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:638)
> at org.kjkoster.zapcat.zabbix.JMXHelper.query(JMXHelper.java:62)
> at org.kjkoster.zapcat.zabbix.QueryHandler.response(QueryHandler.java:127)
> at org.kjkoster.zapcat.zabbix.QueryHandler.handleQuery(QueryHandler.java:87)
> at org.kjkoster.zapcat.zabbix.QueryHandler.run(QueryHandler.java:70)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:619)
> {noformat}
> After much investigation with the Zapcat author Kees Jan Koster we eventually realised I could just work around the problem by disaling this Zapcat provided Zabbix item:
> {noformat}"jmx[java.lang:type=OperatingSystem][OpenFileDescriptorCount]"{noformat}
> Any ideas?
> Cheers,
> Ximon
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira