New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NetUtil can prevent using Netty due to SecurityManager denial #4936
Comments
ejona86
changed the title
RuntimeException in NetUtil produces unhelpful stack trace
NetUtil can prevent using Netty due to SecurityManager denial
Mar 4, 2016
@ejona86 - Good find ... seems like a bug. You went through all the work to find it ... do you want to submit the patch and get credit for the fix too?
|
Sure. I'll send a PR |
@ejona86 let me take this over from you... |
@normanmaurer, fine with me. Enjoy :) |
normanmaurer
added a commit
that referenced
this issue
Mar 14, 2016
Motivation: A custom SecurityManager may prevent calling File.exists() and so throw a SecurityException in the static init block of NetUtil. Modifications: Correctly catch the exception and so allow to static init NetUtil. Result: Allow static init method of NetUtil to work even with custom SecurityManager.
normanmaurer
added a commit
that referenced
this issue
Mar 14, 2016
Motivation: A custom SecurityManager may prevent calling File.exists() and so throw a SecurityException in the static init block of NetUtil. Modifications: Correctly catch the exception and so allow to static init NetUtil. Result: Allow static init method of NetUtil to work even with custom SecurityManager.
normanmaurer
added a commit
that referenced
this issue
Mar 14, 2016
Motivation: A custom SecurityManager may prevent calling File.exists() and so throw a SecurityException in the static init block of NetUtil. Modifications: Correctly catch the exception and so allow to static init NetUtil. Result: Allow static init method of NetUtil to work even with custom SecurityManager.
Fixed by #4977 (comment) |
pulllock
pushed a commit
to pulllock/netty
that referenced
this issue
Oct 19, 2023
…enial Motivation: A custom SecurityManager may prevent calling File.exists() and so throw a SecurityException in the static init block of NetUtil. Modifications: Correctly catch the exception and so allow to static init NetUtil. Result: Allow static init method of NetUtil to work even with custom SecurityManager.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@carl-mastrangelo and I recently encountered a regression when upgrading to 4.1.0-CR3 due to a51e2c8, with the same error as #3680 ("Unable to create Channel from class" caused by a
NoClassDefFoundError
). The exception was surprisingly unhelpful; we don't know why Java failed to include the additional cause.After digging in deeper, we found the problem was due to a
SecurityException
being thrown from a File.exists call in NetUtil:https://github.com/netty/netty/blob/4.1/common/src/main/java/io/netty/util/NetUtil.java#L248
It seems like the previous fix swapped to
doPrivileged()
, which increases the cases that the code will work without an exception, butSecurityManager
s are still permitted to throwSecurityException
. Since the call is intended to be optional, if theSecurityManager
denies the call then the code should probably catch the exception and treat it as if the file does not exist.A custom
SecurityManager
was being used, but from my reading ofAccessController
anddoPrivileged()
theSecurityManager
is behaving correctly:Once we got to this point we worked around the problem by whitelisting
/proc/sys/net/core/somaxconn
in theSecurityManager
. So there's not an active need for a fix, but others may appreciate one.The backtrace we saw:
Debugging found
Security policy violation: ("java.io.FilePermission" "/proc/sys/net/core/somaxconn" "read")
at:The text was updated successfully, but these errors were encountered: