You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Andy Isaacson (JIRA)" <ji...@apache.org> on 2012/05/24 03:57:41 UTC

[jira] [Commented] (DAEMON-120) Unable to open directory /proc/self/fd

    [ https://issues.apache.org/jira/browse/DAEMON-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13282114#comment-13282114 ] 

Andy Isaacson commented on DAEMON-120:
--------------------------------------

Unfortunately the change in DAEMON-16 has two problems.

1. it has no effect on the client Java code, because it is overridden in jsvc-unix.c:child():

 707 #ifdef OS_LINUX
 708     if (args->user && set_caps(0) != 0) {
 709         log_debug("set_caps (0) failed");
 710         return 4;
 711     }

2. if the Java code were allowed to run under CAP_DAC_READ_SEARCH, that would apparently allow the Java code to read *any* file on the host's filesystem. Including /etc/shadow and /etc/ssl/private/ssl-cert-apache.pem.  This would rather defeat the point of "run the code as an unprivileged user".

The underlying problem is apparently a kernel bug of long standing (at least 2.6.18 - 3.4) where after setuid(2), processes are unable to read any of the private entries in /proc/self/.  There's a special exception for /proc/self/fd/ implemented in linux/fs/proc/base.c:proc_fd_permission but it's broken for multithreaded processes.
                
> Unable to open directory /proc/self/fd
> --------------------------------------
>
>                 Key: DAEMON-120
>                 URL: https://issues.apache.org/jira/browse/DAEMON-120
>             Project: Commons Daemon
>          Issue Type: Bug
>    Affects Versions: 1.0.1
>         Environment: RHEL 5.2
> [Atlassian JIRA|http://www.atlassian.com/] 3.12.2 Enterprise standalone which comes with Tomcat 5.5.20
> [Zapcat JMX Zabbix Bridge|http://www.kjkoster.org/zapcat/Zapcat_JMX_Zabbix_Bridge.html] 1.2
> [Zabbix 1.4.5|http://www.zabbix.com/]
>            Reporter: Ximon Eighteen
>            Priority: Minor
>             Fix For: 1.0.2
>
>
> Hi,
> I recently switched to using JSVC to run Tomcat and encountered a strange problem. I eventually found a workaround and only just remembered to raise the issue here.
> Everything was working fine until I switched over to JSVC. All the other components mentioned in the environment field above stayed the same, I just introduced JSVC by editing catalina.sh to invoke JSVC like so:
> {noformat}
>   /usr/local/jsvc/jsvc                                                 \
>     -user jira                                                         \
>     -cp ./bin/bootstrap.jar                                            \
>     -outfile "$CATALINA_BASE/logs/catalina.out"                        \
>     -errfile "$CATALINA_BASE/logs/catalina.err"                        \
>     $JAVA_OPTS $CATALINA_OPTS                                          \
>     -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
>     -Dcatalina.base="$CATALINA_BASE"                                   \
>     -Dcatalina.home="$CATALINA_HOME"                                   \
>     -Djava.io.tmpdir="$CATALINA_TMPDIR"                                \
>     org.apache.catalina.startup.Bootstrap "$@" start
> {noformat}
> Once JIRA was running under JSVC I started seeing lots of these errors in the logs:
> {noformat}
> 20081103 140454,979 org.kjkoster.zapcat.zabbix.QueryHandler ERROR - dropping exception
> javax.management.RuntimeErrorException: java.lang.InternalError: errno: 13 error: Unable to open directory /proc/self/fd
>         at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.rethrow(DefaultMBeanServerInterceptor.java:858)
>         at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.rethrowMaybeMBeanException(DefaultMBeanServerInterceptor.java:869)
>         at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:670)
>         at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:638)
>         at org.kjkoster.zapcat.zabbix.JMXHelper.query(JMXHelper.java:62)
>         at org.kjkoster.zapcat.zabbix.QueryHandler.response(QueryHandler.java:127)
>         at org.kjkoster.zapcat.zabbix.QueryHandler.handleQuery(QueryHandler.java:87)
>         at org.kjkoster.zapcat.zabbix.QueryHandler.run(QueryHandler.java:70)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>         at java.lang.Thread.run(Thread.java:619)
> {noformat}
> After much investigation with the Zapcat author Kees Jan Koster we eventually realised I could just work around the problem by disaling this Zapcat provided Zabbix item:
> {noformat}"jmx[java.lang:type=OperatingSystem][OpenFileDescriptorCount]"{noformat}
> Any ideas?
> Cheers,
> Ximon

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira