Login/Register
Java Heap dump permissions
Asked Answered
jvmheap-memoryfile-permissionsheap-dumpjmap
W

2

12

The java heap dumps generated in a Linux Machine (and most probably Unix machines as well) have restricted access. The heap can only be read by the owner of the process (ACL mask is set to 600). I understand that this is for security reasons. However, I was not able to find any documentation referencing or explaining the behavior. Can anyone point me to the documentation (if any)? Also, is there any way to override this behavior?

Woof answered 4/10, 2012 at 18:50 Comment(1)
Not a complete answer, but thread dumps can contain really confidential information, including your database password. So you'll better keep them safe.Pernod
A
5

If you are interested in deep JVM internals, you can check the source code for OpenJDK.

Here is a link for the HeapDumper service: http://hg.openjdk.java.net/jdk7/jdk7/hotspot/file/9b0ca45cd756/src/share/vm/services/heapDumper.cpp

If you dig in, you'll see JVM is creating binary files with S_IREAD | S_IWRITE

 4373 // create binary file, rewriting existing file if required
 4374 int os::create_binary_file(const char* path, bool rewrite_existing) {
 4375   int oflags = O_WRONLY | O_CREAT;
 4376   if (!rewrite_existing) {
 4377     oflags |= O_EXCL;
 4378   }
 4379   return ::open64(path, oflags, S_IREAD | S_IWRITE);
 4380 }
Aftermath answered 11/10, 2012 at 10:52 Comment(0)
R
0

The heap dump is written by the JVM process, which runs as a particular user. Just like any file created by any Linux process, it will be owned by that user.

If you'd like actual documentation, here it is. Look at the description under O_CREAT.

Rollerskate answered 4/10, 2012 at 19:4 Comment(2)
I don't believe it is like creating any other file by the same user. In my environment,i hav umask for user set to 022. When i create a file using touch, then file permissions are 644 (rw-r-r-). In fact, even the log files generated by the java process has permissions as dictated by umask. However, the heap dump is alwys at 600 (rw----). I believe JVM is explctly setting permssns due to security concerns (bcos heap can cntain sensitive data) or using a system call that causes this. I am looking for documentation that explains it and any means to override it(chmod after h-dump is not an optn)Woof
@AbhilashKoneri, too late to ask, but did you manage to override this behavior??Imogene

© 2022 - 2024 — McMap. All rights reserved.