Friday, November 14, 2014

Linux/Java -- Java Class Permissions, watch out for chmod 77 !

We had an unexpected error in the EBS login flow. It was obvious that there was a problem while executing the java classes. The error was displayed in the browser as Unexpected but there was no details about it. Apache was displaying the class not found errors for a class located in the $JAVA_TOP, but the class name was not written in the Apache errorlog file..

As I knew the login flow, I checked the java class directories, actually the classes which play role in the login flow of EBS, and I suddenly saw a weirdness in the permissions of SessionMgr.class file.

The permissions of SessionMgr.class was like following;

----rwxrwx 1 applprod applprod 33642 Nov 14 16:32 SessionMgr.class

Okay.. when we decode it , it is 000 111 111 in binary ,  and it corresponds to 077 in the language of chmod utility.

Then I checked the history and found the following;

chmod 77 SessionMgr.class

So , it was obvious that someone accidentally use chmod 77 instead of chmod 777 ..
As you may know, this numbers are used to specify the permissions according the modes.
First digit is for : Owners
Second digit is for : Group
Third digit is for : Others

And for the numbers;

in binary ;

first digit is for: read
second digit is for : write
thirdy digit is for: execute

So , chmod 777 means -> Owners, Group and Others can read, write and execute this file.

On the other hand, when you change the owner of the file using chmod 77 , it is interpreted as chmod 077 not as 770. Thus, the owner can not read write or execute the file , and the problem arises.

Okay... 
It is also important to know the required Java Class permissions in a server.

Again , lets see the 077 effect on a Java Class:
[applprod@erman tmp]$ ls -al HelloWorld.class 
----rwxrwx 1 applprod applprod 427 Nov 14 17:04 HelloWorld.class

 java -classpath /tmp HelloWorld
Exception in thread "main" java.lang.NoClassDefFoundError: HelloWorld
Caused by: java.lang.ClassNotFoundException: HelloWorld
        at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
Caused by: java.io.FileNotFoundException: /tmp/HelloWorld.class (Permission denied)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.<init>(FileInputStream.java:106)
        at sun.misc.URLClassPath$FileLoader$1.getInputStream(URLClassPath.java:1001)
        at sun.misc.Resource.cachedInputStream(Resource.java:59)
        at sun.misc.Resource.getByteBuffer(Resource.java:154)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:249)
        at java.net.URLClassLoader.access$000(URLClassLoader.java:56)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
        ... 6 more
Could not find the main class: HelloWorld.  Program will exit.

Now see with the chmod 400;

[applprod@erman tmp]$ ls -al HelloWorld.class 
-r-------- 1 applprod applprod 427 Nov 14 17:04 HelloWorld.class
[applprod@tegvoracle tmp]$ java -classpath /tmp HelloWorld
Hello, World!

So , java works with read permission. Only with read permission.
It seems it is because , the file is read and interpreted by the java command. Java does not execute the class file directly, so it does not need a read permission for that.. 

So for a class to be executed, chmod 400 is enough. I mean; the owner of the file should be the one who needs to execute it ,and the permissions can be 400 ...

It is like sh..  In order to execute a script with sh, you need to have only read permission on it; like the following;

-r-----r-- 1 applprod applprod     9 Nov 14 17:25 erm3
[oraprod@erman tmp]$ sh erm3    (not that different user but read permissions)
erm

Keep that in mind..

No comments :

Post a Comment