[
https://issues.apache.org/jira/browse/LOG4J2-3117?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17379438#comment-17379438
]
Paul Burrowes edited comment on LOG4J2-3117 at 7/12/21, 10:31 PM:
------------------------------------------------------------------
I don't expect async actions to need a {{doPrivileged()}} wrapper as they are
being run in a thread created in a privileged context. The difficulty with sync
actions and file creation is caused by them being executed in the security
context of the code that called {{log().}} If plugins were to be injected from
an unprivileged context this would be necessary but supporting that seems
unhelpful. I will check this belief that async actions have sufficient
privileges.
was (Author: pburrowesoc):
I don't expect async actions to need a {{doPrivileged()}} wrapper as they are
being run in a thread created in a privileged context. The difficulty with sync
actions and file creation is caused by them being executed in the security
context of the code that called {{log().}} If plugins were to be injected from
an unprivileged context this would be necessary but supporting that seems
unhelpful. I will check this belief.
> Log rollover throws AccessControlException if called from an unprivileged
> context
> ---------------------------------------------------------------------------------
>
> Key: LOG4J2-3117
> URL: https://issues.apache.org/jira/browse/LOG4J2-3117
> Project: Log4j 2
> Issue Type: Bug
> Reporter: Paul Burrowes
> Priority: Minor
>
> Similar to LOG4J2-150. When using a security manager, logging from an
> unprivileged context can attempt to access system properties directly.
> Attempting to hack around this with a custom {{RolloverStrategy}} shows that
> other privileged actions such as creating files during rollover (done
> directly in {{RollingFileManager}}) also fail. I believe rollover should be
> performed inside a {{doPrivileged}} block to address these issues.
> {code:java}
> java.security.AccessControlException: access denied
> ("java.util.PropertyPermission" "user.dir" "read")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.security.AccessController.checkPermission(AccessController.java:884)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
> at java.lang.System.getProperty(System.java:717)
> at java.io.UnixFileSystem.resolve(UnixFileSystem.java:133)
> at java.io.File.getAbsolutePath(File.java:556)
> at
> org.apache.logging.log4j.core.appender.rolling.action.FileRenameAction.execute(FileRenameAction.java:161)
> at
> org.apache.logging.log4j.core.appender.rolling.action.FileRenameAction.execute(FileRenameAction.java:66)
> at
> org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:369)
> at
> org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:278)
> at
> org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:218)
> at
> org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:267)
> at
> org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156)
> at
> org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129)
> at
> org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120)
> at
> org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
> at
> org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:448)
> at
> org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:433)
> at
> org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:417)
> at
> org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:403)
> at
> org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:63)
> at org.apache.logging.log4j.core.Logger.logMessage(Logger.java:146)
> at org.apache.log4j.Category.maybeLog(Category.java:452)
> at org.apache.log4j.Category.info(Category.java:262)
> at MySipServlet.sendInviteToMediaServer(MySipServlet.java:614)
> at MySipServlet.doInvite(MySipServlet.java:119)
> at javax.servlet.sip.SipServlet.doRequest(Unknown Source)
> at MySipServlet.doRequest(MySipServlet.java:768)
> at javax.servlet.sip.SipServlet.service(Unknown Source)
> at MyServletHandler$2.call(MyServletHandler.java:344)
> at MyServletHandler$2.call(MyServletHandler.java:341)
> at MyEventHandler.doInvocation(MyEventHandler:182)
> at MyEventHandler.deliverEvent(MyEventHandler:154)
> at MyEventHandler.processEvent(MyEventHandler:98)
> at MyEventRouter.run(MyEventRouter:100)
> at MyContextLogger$1.run(MyContextLogger:24)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at MyExecutorThreadFactory$1$1.run(MyExecutorThreadFactory:458)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
