Bug 855977 - /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/lib/sa-jdi.jar is only readable by root
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/lib/sa-jdi.jar is only readabl...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: java-1.7.0-openjdk (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: jiri vanek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-10 16:08 EDT by Omair Majid
Modified: 2012-10-19 13:20 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-19 13:20:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Omair Majid 2012-09-10 16:08:55 EDT
Description of problem:
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/lib/sa-jdi.jar has incorrect permissions and is only readable by root.

This breaks tools like jstack

Version-Release number of selected component (if applicable):
java-1.7.0-openjdk-devel-1.7.0.6-2.3.1.fc17.2.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Install java-1.7.0-openjdk-devel
2. ls -l /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/lib/sa-jdi.jar
  
Actual results:
-rw-------. 1 root root 2605360 Aug 31 11:08 sa-jdi.jar

Expected results:
-rw-r--r--. 1 root root  2605360 Aug 31 11:08 sa-jdi.jar


Additional info:

This also breaks jstack:
$ jps
8805 Jps
8479 Pause

$ gdb --pid=8479
(gdb) gcore
Saved corefile core.8479
(gdb) detach
Detaching from program: /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.6.x86_64/jre/bin/java, process 8479
(gdb) q

$ jstack /usr/lib/jvm/java/bin/java core.8479 
Usage:
    jstack [-l] <pid>
        (to connect to running process)

Options:
    -l  long listing. Prints additional information about locks
    -h or -help to print this help message
# chmod ugo+r sa-jdi.jar # fix permissions on sa-jdi.jar
$ jstack /usr/lib/jvm/java/bin/java core.8479 
Attaching to core core.8479 from executable /usr/lib/jvm/java/bin/java, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 23.2-b09
Deadlock Detection:

No deadlocks found.

Thread 8535: (state = BLOCKED)


Thread 8488: (state = BLOCKED)


Thread 8487: (state = BLOCKED)
 - java.lang.Object.wait(long) @bci=0 (Interpreted frame)
 - java.lang.ref.ReferenceQueue.remove(long) @bci=44, line=135 (Interpreted frame)
 - java.lang.ref.ReferenceQueue.remove() @bci=2, line=151 (Interpreted frame)
 - java.lang.ref.Finalizer$FinalizerThread.run() @bci=3, line=177 (Interpreted frame)


Thread 8486: (state = BLOCKED)
 - java.lang.Object.wait(long) @bci=0 (Interpreted frame)
 - java.lang.Object.wait() @bci=2, line=503 (Interpreted frame)
 - java.lang.ref.Reference$ReferenceHandler.run() @bci=46, line=133 (Interpreted frame)


Thread 8480: (state = BLOCKED)
 - java.lang.Thread.sleep(long) @bci=0 (Interpreted frame)
 - Pause.main(java.lang.String[]) @bci=30, line=14 (Interpreted frame)
Comment 1 jiri vanek 2012-09-17 05:55:20 EDT
Thanx for reporting!

I can fix this in rpm, by hardcode permissions, but imho this should be fixed in upstream (as also direct icedtea7-forest build is affected) and as it is  regression (u3 have correct permissions, u5 have not, u4 was never packed, both architectures affected).

Only sun.com packages are inside this jar,  so they are not covered by usual tests.

Can this be connected to recent tmp-permissions  fix, which caused similar permissions for gnome-bridge? (but IMHO is not, because release with this fix was u3, which is not affected, but maybe later was build of this jar moved to tmp and so affected later)
Comment 2 Omair Majid 2012-09-17 16:00:56 EDT
(In reply to comment #1)
> Only sun.com packages are inside this jar,  so they are not covered by usual
> tests.

Would it make sense to add tests that ensure binaries (like 'java', 'javac', and 'jstack') are working to the usual tests?
Comment 3 Pavel Tisnovsky 2012-09-20 07:39:08 EDT
Yes, I think it makes sense to add this check to our test toolset (together with debuginfo test etc.)
Comment 4 Andrew John Hughes 2012-10-19 12:26:01 EDT
This is fixed by:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7175845

which is in 2.3.x and has now been backported to 1.10.x, 1.11.x, 2.1.x and 2.2.x with this release:

http://blog.fuseyism.com/index.php/2012/10/19/security-icedtea-1-10-10-1-11-15-2-1-3-2-2-3-2-3-3-released/

So builds done with the patched JDK will have an sa-jdi.jar with the correct permissions.  You can also achieve this by doing a full bootstrap.
Comment 5 Omair Majid 2012-10-19 12:36:17 EDT
Permissions are fixed with java-1.7.0-openjdk-1.7.0.9-2.3.3.fc17

Note You need to log in before you can comment on or make changes to this bug.