APAR status
Closed as program error.
Error description
Error Message: Adding new functionality to restrict changing shared class cache parent directories permissions . Stack Trace: N/A .
Local fix
Problem summary
When using the JRE shared class cache, on Linux, AIX and z/OS, every startup the JRE will change the permissions of the cache file parent directories to 777 (user+group+world read+write+execute). Some applications architecture utilizes a separate cache file for each user and as such the cache files are kept in the users home directory. Having the JRE grant world permissions of a user directory (located in the users home tree) is a security exposure.
Problem conclusion
This defect will be fixed in: 6.0.0 SR10 . Added Shared Classes option of -Xshareclasses:cacheDirPerm=<permission> Sets UNIX-style permissions when creating a cache directory. <permission> must be a number in the ranges 0700 - 0777 or 1700 - 1777. If <permission> is not valid, the JVM terminates with an appropriate error message. The permissions specified by this suboption are used only when creating a new cache directory. If the cache directory already exists, this suboption is ignored and the cache directory permissions are not changed. If you set this suboption to 0000, the default directory permissions are used. If you set this suboption to 1000, the machine default directory permissions are used, but the sticky bit is enabled. If the cache directory is the platform default directory, /tmp/javasharedresources, the cacheDirPerm suboption is ignored and the cache directory permissions are set to 777. z/OS only -If you do not set the cacheDirPerm suboption, and the cache directory does not already exist, a new directory is created with permissions set to 777, for compatibility with earlier Java versions. Permissions for existing cache directories are unchanged, to avoid generating RACF errors, which generate log messages. Linux, AIX -If you do not set the cacheDirPerm suboption, permissions for both new and existing cache directories are set to 777, for compatibility with earlier Java versions. Windows -This option is not used on Windows . To obtain the fix: Install build 20110511 or later
Temporary fix
Comments
APAR Information
APAR number
IV00118
Reported component name
J9 COMMON CODE
Reported component ID
620700127
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-05-10
Closed date
2011-05-11
Last modified date
2011-05-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
J9 COMMON CODE
Fixed component ID
620700127
Applicable component levels
R600 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCVQ3W","label":"Virtual Machine"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
11 May 2011