JVM调试连接器内部和安全性
[英]JVM debug connector internals and security
问题描述
I recently came across the question: Debug a java application without starting the JVM with debug arguments 
我最近遇到了一个问题: 在没有使用调试参数启动JVM的情况下调试java应用程序
Reading more about the various connectors and transports offered by JVM at https://docs.oracle.com/javase/7/docs/technotes/guides/jpda/conninv.html , I am now trying to find answers to the below questions: 通过https://docs.oracle.com/javase/7/docs/technotes/guides/jpda/conninv.html阅读有关JVM提供的各种连接器和传输的更多信息,我现在正在尝试找到以下问题的答案:
Docs say that for SADebugServerAttachingConnector and SAPIDAttachingConnector : Docs说对于SADebugServerAttachingConnector和SAPIDAttachingConnector :
The process to be debugged need not have been started in debug mode(ie, with -agentlib:jdwp or -Xrunjdwp)
So: 所以:
1) Why do debug options like Xrunjdwp exist in the first place then? 1)为什么Xrunjdwp存在像Xrunjdwp这样的调试选项呢?
2) How does SADebugServerAttachingConnector work without taking a port number in the arguments? 2) SADebugServerAttachingConnector如何在不在参数中使用端口号的情况下工作?
3) Documentation does not say anything about requiring root privileges. 3)文档没有说明要求root权限。 Is it not a serious privilege escalation vulnerability to allow arbitrary debugging of jvm instances not started in debug mode, by unprivileged users? 是不是一个严重的权限升级漏洞,允许任意调试未在调试模式下启动的jvm实例,由非特权用户?
1 个解决方案
解决方案1
1 已采纳 2019-06-30 05:32:55
I will focus on the SADebugServerAttachingConnector case. 我将重点关注SADebugServerAttachingConnector案例。
Here are some more quotes from the Java 11 version of the document you linked to: 以下是您链接到的文档的Java 11版本的更多引用:
SA Debug Server Attaching Connector
This connector can be used by a debugger application to debug a process or core file on a machine other than the machine upon which the debugger is running.
This connector uses RMI to communicate with a 'debug server' running on the remote machine.
A process to be debugged need not have been started in debug mode(ie, with -agentlib:jdwp or -Xrunjdwp).
1) Why do debug options like Xrunjdwp exist in the first place then?
The SA Debug Server method allows you to debug a Java process where you either didn't want to launch with an agent (eg for security reasons), or you didn't have the foresight to do that. SA Debug Server方法允许您调试您不想与代理一起启动的Java进程(例如出于安全原因),或者您没有先见之明。
Conversely, the agent approach is for cases where you don't want the hassle of setting up an SA Debug Server to debug your Java app. 相反,代理方法适用于您不希望设置SA调试服务器以调试Java应用程序的麻烦。
It is "horses for courses" ... as they say. 正如他们所说,这是“马匹的课程”。
2) How does SADebugServerAttachingConnector work without taking a port number in the arguments?
Your debugger is using the RMI default port to talk to the SA Debug Server. 您的调试器使用RMI默认端口与SA调试服务器通信。 The SA Debug Server is attaching to the target JVM using a mechanism that is known to the server and the target. SA调试服务器使用服务器和目标已知的机制附加到目标JVM。 It is likely to be an OS-specific mechanism under the hood. 它很可能是一个特定于操作系统的机制。 For example, on Linux it could use ptrace(2) APIs. 例如,在Linux上它可以使用ptrace(2) API。 Network sockets and ports need not be involved. 不需要涉及网络套接字和端口。
3) Documentation does not say anything about requiring root privileges.
The documentation states that you need to specifically set up the linkage between the SA Debug Server and the target VM. 该文档指出您需要专门设置SA Debug Server和目标VM之间的链接。 This is done when you start the SA Debug Server. 这是在启动SA调试服务器时完成的。
OS-level access controls won't allow a non-root SA Debug Server to use (for example) ptrace syscalls access a Java process belonging to another user / user id. 操作系统级访问控制将不允许非根SA调试服务器使用(例如) ptrace syscalls访问属于另一个用户/用户标识的Java进程。 And the OS won't let you start a root SA Debug Server unless you already have root privilege. 除非您已拥有root权限,否则操作系统不会让您启动根SA调试服务器。 So there is no escalation of privilege, either in the root or non-root cases. 因此,无论是在根情况还是非根情况下,都没有特权升级 。
(Modulo any undisclosed or unpatched OS-level root escalation bugs ... of course.) (模块化任何未公开或未修补的操作系统级别的根升级错误......当然。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.