Config.xml cannot be modified in 8.1 if using a setUID script. (Doc ID 774691.1)

Last updated on JUNE 03, 2024

Applies to:

Goal

Customer uses setUID scripts to run Weblogic. 
The principle is that there is one startup script, owned by a user called "<ADMIN USER>", who has privileges. 
The Unix command "chmod ug+s <script file>"  is run on that script, making this script runnable by any
user (say "<USER1>"), who would at execution become automatically "<ADMIN USER>".
There is then one effective user : "<ADMIN USER>" and one real user "<USER1>".
Under WLS 7.0 (JVM 1.3.1) There is no problem, and "<USER1>" can run the startup script, becoming
"<ADMIN USER>", and he will be able to modify the config.xml file.
Under WLS 8.1 (JVM 1.4.1-02), "<USER1>" can run the script, but fails writing to the config.xml. 
By studying the truss output for both process, we discovered that for 8.1, there is a system call "access()"
that returns an error. That system call is responsible of checking permissions to write a file for both the real user
and the effective user:
 access("./config.xml", 2)                       Err#13 EACCES
 access("./config.xml", 2)                       Err#13 EACCES
This system call is not invoked from WLS 7.0, hence the difference in behavior.

Although it looks like a JVM issue, the customer is not convinced at all, and would like to understand why only
config.xml is affected by these new JVM measures.

The access() function checks the file named by the  pathname
     pointed  to by the path argument for accessibility according
     to the bit pattern contained in amode, using the  real  user
     ID  in  place of the effective user ID and the real group ID
     in place of the effective group ID.  This  allows  a  setuid
     process  to  verify  that the user running it would have had
     permission to access this file.

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.