I reported yesterday being unable to use the JRockit JVM when launching Tomcat with jsvc -user tomcat. I put strace -f on the process and came up with
[pid 13655] open(“/proc/self/maps”, O_RDONLY) = -1 EACCES (Permission denied)
That wasn’t surprising, I expected a /proc read problem based on my previous research, but this nailed it. strace has help me out on a few other occasions (even though I barely understand the output). I really must remember to use it sooner in the troubleshooting process.
Anyway, I delved into the source code for jsvc (jsvc-unix.c) where I was introduced to the world of Linux capabilities. Long story short, I implemented CAP_DAC_READ_SEARCH in the relevant macros, permitting the switched user to read /proc (and any other file on the system for that matter).
Here is my patch of jsvc-unix.c (from jsvc source shipped with the Apache Tomcat 5.5.20 distribution).
— jsvc-unix.c.dist 2007-02-05 22:34:01.000000000 -0500
+++ jsvc-unix.c 2007-02-05 23:41:18.000000000 -0500
@@ -115,12 +115,15 @@
#define CAPSMAX (1 << CAP_NET_BIND_SERVICE)+ \
(1 << CAP_DAC_READ_SEARCH)+ \
(1 << CAP_DAC_OVERRIDE)
-/* That a more reasonable configuration */
+/* That a more reasonable configuration.
+ CAP_DAC_READ_SEARCH permits reading /proc/self */
#define CAPS (1 << CAP_NET_BIND_SERVICE)+ \
+ (1 << CAP_DAC_READ_SEARCH)+ \
(1 << CAP_SETUID)+ \
(1 << CAP_SETGID)
/* probably the only one Java could use */
-#define CAPSMIN (1 << CAP_NET_BIND_SERVICE)
+#define CAPSMIN (1 << CAP_NET_BIND_SERVICE)+ \
+ (1 << CAP_DAC_READ_SEARCH)
static int set_caps(int caps)
{
struct __user_cap_header_struct caphead;
With patched jsvc in service, Tomcat happily runs with JRockit under a non-privileged user.
Related:
$ man 7 capabilities
BEA JRockit
Postscript
I’m reposting the pre-patch error from catalina.err here for Google to index. Maybe this post will be discovered and help someone encountering the same problem.
05/02/2007 23:13:16 12004 jsvc.exec error: Cannot create Java VM
05/02/2007 23:13:16 12003 jsvc.exec error: Service exit with a return value of 1
[WARN ] pthread_getattr_np failed in psiGetStackInfo for 0×2a9557b960.
[WARN ] OS message: Permission denied (13)
2 comments
Comments feed for this article
February 27, 2007 at 11:06 pm
Steve Dyer
Great stuff! Thanks, this also fixes the “thread stack location – find_vma failed” error when using Sun JVM + Tomcat + jsvc.
Does is open any security holes?
Steve
February 28, 2007 at 1:35 am
crashingdaily
I can’t give a definitive word on whether any security issues are introduced by this. CAP_DAC_READ_SEARCH does give unrestricted read access to files but, if I’m reading this right, the permission levels are reduced after the daemon is loaded (see ’set_caps(0)’ around line 505 of jsvc-unix.c) so this read access, and other escalated permissions, are only granted long enough to get things started.