IBM Support

IV00118: RESTRICT CHANGING SHARED CLASS CACHE PARENT DIRECTORIES PERMISSI ONS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: Adding new functionality to restrict changing
shared class cache parent directories permissions
.
Stack Trace: N/A
.

Local fix

  • 



Problem summary


    

  • When using the JRE shared class cache, on Linux, AIX and z/OS,
every startup the JRE will change the permissions of the cache
file parent directories to 777 (user+group+world
read+write+execute).
  Some applications architecture utilizes a separate cache file
for each user and as such the cache files are kept in the users
home directory. Having the JRE grant world permissions of a user
directory (located in the users home tree) is a security
exposure.

    



Problem conclusion


    

  • This defect will be fixed in:
6.0.0 SR10
.
  Added Shared Classes option of
-Xshareclasses:cacheDirPerm=<permission>
  Sets UNIX-style permissions when creating a cache directory.
<permission> must be a number in the ranges 0700 - 0777 or 1700
- 1777. If <permission> is not valid, the JVM terminates with an
appropriate error message.
  The permissions specified by this suboption are used only when
creating a new cache directory. If the cache directory already
exists, this suboption is ignored and the cache directory
permissions are not changed.
  If you set this suboption to 0000, the default directory
permissions are used. If you set this suboption to 1000, the
machine default directory permissions are used, but the sticky
bit is enabled.
  If the cache directory is the platform default directory,
/tmp/javasharedresources, the cacheDirPerm suboption is ignored
and the cache directory permissions are set to 777.
  z/OS only
  -If you do not set the cacheDirPerm suboption, and the cache
directory does not already exist, a new directory is created
with permissions set to 777, for compatibility with earlier Java
versions. Permissions for existing cache directories are
unchanged, to avoid generating RACF errors, which generate log
messages.
  Linux, AIX
  -If you do not set the cacheDirPerm suboption, permissions for
both new and existing cache directories are set to 777, for
compatibility with earlier Java versions.
  Windows
  -This option is not used on Windows
.
To obtain the fix:
Install build 20110511 or later

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV00118
    • 

  • Reported component name
    J9 COMMON CODE
    • 

  • Reported component ID
    620700127
    • 

  • Reported release
    600
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2011-05-10
    • 

  • Closed date
    2011-05-11
    • 

  • Last modified date
    2011-05-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    J9 COMMON CODE
    • 

  • Fixed component ID
    620700127
    • 



Applicable component levels


    

  • R600  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCVQ3W","label":"Virtual Machine"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 May 2011
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback