| Summary: | java.policy needs config file status | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Frank Griffin <ftg> |
| Component: | RPM Packages | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED INVALID | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | java | CVE: | |
| Status comment: | |||
The changes shouldn't be lost, as the file is already marked as %config(noreplace), but if the file changes in the new version of the package, they'll have to merge their changes into the .rpmnew file if they want to keep the file up to date.
From java-1.7.0-openjdk-headless:
%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/java.policy
So I don't really understand what this bug is really about.
Anyway, we don't have an active maintainer for Java stuff at the moment, and we only sync our stuff from Fedora/RedHat anyway, so if you want changes made to this package, it's best to file them in RedHat's bugzilla.
Odd. This cauldron system was fresh-installed in January and after the February update I manually modified the java.policy file as noted above, and derby has been running just fine (I have a derby app that sends me mails every day). About a week ago, I stopped getting the mails. When I looked into this, I saw that the derby startup was getting the original security excaption. When I checked java.policy, my update was gone. Looking at my cauldron mirror, the java-openjdk packages were updated on 22Apr, which fits the start of the problem just about exactly. And as you can see: [root@ftgme2 security]# pwd /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.7.1.mga5.x86_64/jre/lib/security [root@ftgme2 security]# ls -l total 36 lrwxrwxrwx 1 root root 41 Apr 23 07:30 cacerts -> ../../../../../../../etc/pki/java/cacerts -rw-r--r-- 1 root root 2671 Apr 30 11:01 java.policy -rw-r--r-- 1 root root 18297 Apr 22 12:31 java.security -rw-r--r-- 1 root root 638 Apr 22 12:33 local_policy.jar -rw-r--r-- 1 root root 78 Apr 22 12:38 nss.cfg -rw-r--r-- 1 root root 620 Apr 22 12:33 US_export_policy.jar [root@ftgme2 security]# there is no .rpmnew file in the directory, and all of the others were replaced on 22Apr (the 30Apr date on java.policy reflects the change I made to get things working again). That's odd indeed. I don't see anything in the package itself that would cause it to move the rpmnew file in place of the main one, and I verified with rpm -qlc that java.policy is a config file inside the headless subpackage (just to make sure the attributes didn't get overridden somehow). Maybe something to do with how you updated your Cauldron, I don't know. I'm going to mark this as INVALID, but if you can figure out what's behind it and it's an issue that we can do something about, feel free to reopen. Status:
NEW =>
RESOLVED Let's take a last stab. Would it be a lot of bother for you to push a no-op java update which basically changes nothing but would cause a new rpm to be installed ? If so, I can update and see if my modified java.policy gets wiped again. If it does, we have a spec bug. |
Back in February, I posted the following to the ML with no replies: ****************************************************************** Is anyone else suddenly (since Feb 1) having problems with the Java security profile in cauldron ? I have been running derby from a manual install on /usr/local and apps against it since forever. Since Feb 1, the server fails to come up with an error attempting to listen on localhost:1527 in spite of the fact that "listen" on localhost:0 is granted to all users and has been as far back as I can check. Adding a specific grant for port 1527 gets the server up, but clients fail to connect with an arcane derby error that google suggests stems from lack of permission to connect. If I put: grant codeBase "file:/-" { permission java.security.AllPermission; }; at the top of the java.policy file and restart the server, all the errors go magically away. What changed ? ****************************************************************** The problem is the following: ################################################################## Change in Default Socket Permissions The default socket permissions assigned to all code including untrusted code have been changed in this release. Previously, all code was able to bind any socket type to any port number greater than or equal to 1024. It is still possible to bind sockets to the ephemeral port range on each system. The exact range of ephemeral ports varies from one operating system to another, but it is typically in the high range (such as from 49152 to 65535). The new restriction is that binding sockets outside of the ephemeral range now requires an explicit permission in the system security policy. Most applications using client tcp sockets and a security manager will not see any problem, as these typically bind to ephemeral ports anyway. Applications using datagram sockets or server tcp sockets (and a security manager) may encounter security exceptions where none were seen before. If this occurs, users should review whether the port number being requested is expected, and if this is the case, a socket permission grant can be added to the local security policy, to resolve the issue. This means that you have to explicity set the permissions for your application to be able to access the ports range between 1025 and 49151. You can therefore grant this permission by appending this line in the list of permissions granted: Visit your Java Home Directory and access your policy file at $JAVA_HOME/jre/lib/security/java.policy and make the following changes. grant{ //List of granted permissions permission java.net.SocketPermission "localhost:1527", "listen"; } ################################################################## This means that the MGA JDK as installed will fail for any network server application unless java.policy is modified by the user, and that means that every time the package is updated those modifications will be lost unless the package is changed to install java.policy using ".rpmnew". Reproducible: Steps to Reproduce: