JDK-7076745 : JRE doesn't work with Linux capabilities
  • Type: Bug
  • Component: tools
  • Sub-Component: launcher
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: linux_ubuntu
  • CPU: x86
  • Submitted: 2011-08-09
  • Updated: 2012-03-20
  • Resolved: 2011-08-23
Related Reports
Duplicate :  
JDK-6919633 - Runtime does not support POSIX File Capabilities (A.K.A. Linux Capabilities)
Description
FULL PRODUCT VERSION :
java version "1.7.0"
Java(TM) SE Runtime Environment (build 1.7.0-b147)
Java HotSpot(TM) Server VM (build 21.0-b17, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Ubuntu 10.04 LTS
Linux gvk-stend 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:54:21 UTC 2011 i686 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
After setting capabilities with this command:
sudo setcap cap_net_bind_service=+ep /usr/lib/jvm/jdk1.7.0/bin/java

It is impossible to execute binary /usr/lib/jvm/jdk1.7.0/bin/java:
java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

I even tried to add the absolute path to "libjli.so" and run "sudo ldconfig" but it doesn't help:

$ cat /etc/ld.so.conf.d/libjli.conf
/usr/lib/jvm/jdk1.7.0/jre/lib/i386/jli/libjli.so



STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Unpack the content of "jdk-7-linux-i586.tar.gz" to /usr/lib/jvm
2. sudo setcap cap_net_bind_service=+ep /usr/lib/jvm/jdk1.7.0/bin/java
3. /usr/lib/jvm/jdk1.7.0/bin/java -version

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
$ /usr/lib/jvm/jdk1.7.0/bin/java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build 1.7.0-b147)
Java HotSpot(TM) Server VM (build 21.0-b17, mixed mode)
ACTUAL -
$ /usr/lib/jvm/jdk1.7.0/bin/java -version
/usr/lib/jvm/jdk1.7.0/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

ERROR MESSAGES/STACK TRACES THAT OCCUR :
/usr/lib/jvm/jdk1.7.0/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
EVALUATION NOTE: when adding such capabilities, please try to understand the restrictions the runtime loader (rtld aka. ld.so) imposes on executables (suid, setcap and so on) such that they can masquerade as a privileged user.
23-08-2011
EVALUATION This is a duplicate of 6919633, just to be sure, I went through the gyrations of reproducing the issue, this is what needs to be done: % ./jdk1.7.0/bin/java -version java version "1.7.0" Java(TM) SE Runtime Environment (build 1.7.0-b148) Java HotSpot(TM) Client VM (build 21.0-b18, mixed mode) % sudo setcap -v cap_net_bind_service=+ep ./jdk1.7.0/bin/java ./jdk1.7.0/bin/java differs in [pe] % sudo setcap cap_net_bind_service=+ep ./jdk1.7.0/bin/java % sudo setcap -v cap_net_bind_service=+ep ./jdk1.7.0/bin/java ./jdk1.7.0/bin/java: OK // note ldconfig may not work immediately, depending on the kernel, // a reboot may do the trick to rebuild the ld.so cache. % ldconfig -v 2>&1 | grep jli /home/XX/jdk1.7.0/jre/lib/i386/jli: libjli.so -> libjli.so % ./jdk1.7.0/bin/java -version java version "1.7.0" Java(TM) SE Runtime Environment (build 1.7.0-b148) Java HotSpot(TM) Client VM (build 21.0-b18, mixed mode)
23-08-2011