#193 oprofile leaves a world-writable /var/lib/oprofile/jitdump/

None
closed-fixed
hanseld
None
5
2013-07-29
2010-10-06
Shlomi Fish
No

On Mandriva Cooker with oprofile-0.9.6-1mdv2010.1 after doing opcontrol --vmlinux=/boot/vmlinux-2.6.36-desktop-0.rc6.2.1mnb and opcontrol --start I'm getting this:

{{{
[root@telaviv1 ~]# ls -ld /var/lib/oprofile/jitdump
drwxrwxrwx 2 root root 6 2010-10-06 09:34 /var/lib/oprofile/jitdump/
}}}

It stays this way after I run oprofile --stop and reboot the machine. This is a world-writable directory to which every user can write into until the partition is filled, and that msec (the Mandriva security monitor) reports and complains about.

Please fix it.

Regards,

-- Shlomi Fish

Discussion

    • assigned_to: nobody --> hanseld
     
  • Daniel, please take a look at this bug.

     
  • William Cohen
    William Cohen
    2011-05-20

    This directory is being used to store the jvmti/jvmpi opagents so there is information to map samples back to the java method. The java program are running as normal users, so the opagent code that are recording data into /var/lib/oprofile/jitdump is also being run as normal users.

    When reviewing the opagent code I found that the jitdump directory location is statically compiled into the code due to

    libopagent/opagent.c:#define AGENT_DIR OP_SESSION_DIR_DEFAULT "jitdump"

    And:

    libop/op_config.h:#define OP_SESSION_DIR_DEFAULT "/var/lib/oprofile/"

    If someone starts uses "opcontrol --session-dir=..." then java opagent is going to put things in the wrong place.

    Would it make sense for the oprofile to do something like this:

    -opagent attempts to write to a pipe that oprofiled has open (maybe in /tmp)
    -oprofiled creates the file in SESSION_DIR/jitdump with permissions
    oprofiled makes link /tmp/filename to SESSION_DIR/jitdump/file
    -opcontrol can remove group and world write to SESSION_DIR/jitdump

     
  • hanseld
    hanseld
    2011-06-06

    Hi Shlomi Fish,

    we've discussed that problem.
    We want to change the location for JIT dump files from /var/lib/oprofile/jitdump to /tmp/jitdump.
    Additionally we have to document this new location due to the fact that /tmp could be cleaned up sometimes.

    The new location is necessary due to the fact that oprofile JIT dump files could be created by any user.

    Can you tell me if the new location is ok for your Mandriva security monitor?

    Kind regards.

     
  • Daniel,
    Since I'm going to be putting out a new release in the not too distant future, I'd like to close out as many bugs as possible. Can you please take a look at this one. It seems that this directory could be made writable by root and readable by all. But if we make such a change, that's going to break operf, as it currently will generate jit dump files into /var/lib/oprofile/jitdump even when it's run by a normal user. So if you change the permissions on this dir, it will have a ripple effect.

     
  • hanseld
    hanseld
    2013-01-24

    This problem is fixed together with another related bug.

    Please refer too the Oprofile mailing list to get the whole discussion and the final fix.

     
  • hanseld
    hanseld
    2013-01-24

    • status: open --> open-fixed
     
    • status: open-fixed --> closed-fixed
    • Group: -->