-
Enhancement
-
Resolution: Duplicate
-
P3
-
None
-
None
-
None
-
linux
The "attach" API that enables many of our serviceability tools, such as jcmd and its peers, changed behaviors in JDK 11.
Prior to that release both the "attacher" JVM and the "attachee" compare the euid and egid of its peer with that of its own credentials and fails the attempt if they do not match (i.e the same user - although the gid check is redundant)
In JDK 11, this logic was amended to also permit uid == 0 (superuser) to attach.
This seems like a reasonable change, particularly in production environments where applications and services may be running as multiple users, and the admin wishes to perform some actions against those, without having to adopt the identity of the target JVM.
(hence permitting superuser attach).
This attach logic should be normalized with earlier versions of the implementation to enable admins to avail themselves of this feature oin earlier versions of the JDK.
Prior to that release both the "attacher" JVM and the "attachee" compare the euid and egid of its peer with that of its own credentials and fails the attempt if they do not match (i.e the same user - although the gid check is redundant)
In JDK 11, this logic was amended to also permit uid == 0 (superuser) to attach.
This seems like a reasonable change, particularly in production environments where applications and services may be running as multiple users, and the admin wishes to perform some actions against those, without having to adopt the identity of the target JVM.
(hence permitting superuser attach).
This attach logic should be normalized with earlier versions of the implementation to enable admins to avail themselves of this feature oin earlier versions of the JDK.
- duplicates
-
JDK-8292949 jcmd started by "root" must be allowed to access all VM processes
-
- Resolved
-