-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
From Guava 32.0.1-jre, Files.createTempDir() and FileBackedOutputStream can fail or create un-deletable directories/files when used from a Windows service #6634
Comments
Thanks for all the details. At first glance, I'm puzzled: We test that we can delete the directory, and we have had our tests running under Windows. We have also tested manually under Windows, as have other users, and we've heard of apps that started working again at 32.0.1. So there must be some variation between systems that accounts for this. One thing that I'd wondered was whether the system property One frustrating part of this is that we might not need to set explicit permissions at all: The Windows temporary directory is very likely to be secure, and the Java's Linux implementation appears to set restricted permissions by default (but its docs are coy about this). Maybe I should just rip out all the permissions code. I've been hesitant to do so because it would look quite bad if such a change somehow reintroduced the security bug. (And of course now we've already had a bunch of releases in quick succession....) Does anything about the username issue give you any ideas? Does anyone else have thoughts? |
Does that sound like the situation you're in? Hmm, and regardless, could you have a look at the "e:\xxxxxxx\target" directory and see if it's world-readable? If it's world-readable, then that shows that we do need to set directory permissions for maximum security in this case. If it's not, then that's another data point in favor of the idea that the Windows temporary directory is always secure. |
Wow, I don't even remember hearing about the At this point, I would love to get away with keeping things as they are. And we might get away with it if you're in a position to migrate off our method and onto Aside from my idea of mapping COMPUTERNAME$ to SYSTEM, I could also see making Guava read a system property (or maybe environment variable, which feels marginally safer, since Java doesn't let programs mutate environment variables) that lets you disable setting the ACL. Would you be in a position to set the system property or environment variable? And, similarly, for the idea of rewriting user.name: Are you able to test running your Java app with |
I'm sure there's context I'm not remembering, but just to double-check: did we determine that it is in fact necessary to explicitly set the ACL when creating temp dirs on Windows, as opposed to passing no |
Hello, to cgdecker: I'm not in Guava team but I know that the default windows temp dir is user-specific. So from my (limited) point of view, there is not really a need to set anything specific. In my case I explicitly tell Java to use another dir (through to cpovirk 1-: please do not modify anything for me. I already simply moved my tests away from using Guava's to cpovirk 2-: you were right, launching my tests with for the record, the problem mentioned in JENKINS-71375 is specific to version 32.0.0-jre and was corrected in 32.0.1-jre and I think that only daemon services (and maybe especially the ones changing the default temp dir like I did) will be hurt with the same bug as described here. |
Thanks for the additional details and testing. It does seem extremely likely that plain I'm going to re-title this bug to reflect that it applies just to the daemon case. If we end up hearing from more affected users, we can reevaluate. Thanks for your flexibility. |
@cpovirk
windows version
trying to workarround by setting |
Across various OSs, there are different environment variable names for username. For example, USERNAME in Windows and USER in Linux. |
Thanks. Are any of the Windows Services users in a position to see what |
I'm going to implement that approach now, since the Stack Overflow question sounds like just the same situation. |
…_services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
Fix `Files.createTempDir` and `FileBackedOutputStream` under Windows _services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
…ting Fix `Files.createTempDir` and `FileBackedOutputStream` under Windows _services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
…_services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
…_services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
Which version of Java are those of you who are affected using? The fix I've been working on would work for Java 9+. If you need support for Java 8, then I would need to add another fix specific to that case. |
thanks @cpovirk , I'm using Java11 |
thanks @cpovirk , we are using java 17 LTS |
Thanks, I'll stick with the Java 9+ solution for now, then. Also, I've retitled this bug to reflect that even creating the directories can fail. If all goes well, I'll submit the fix this week. Then it's just a question of how soon we do a release. How did the workaround of setting |
Aside: Somehow my Google search for "ProcessHandle.current().info().user().get()" turns up only one web page. Luckily, my earlier, different search had turned up the Stack Overflow answer with that content anyway... somehow. This was almost as bad as finding a web page that explains how to set an ACL in the first place :) |
Copy pasting from a previous message above, it seems the user.name workaround worked well in my tests at the time ;)
|
Oops, sorry, I'd seen that but had wanted to check with @Uli-Tiger, since this new problem was slightly different. But I do still expect your workaround to address it. |
Because the java process is launched from another process, i couldn't easily inject that system property. Instead i just let the Jenkins service run with an ordinary Admin User instead of the local service account. That works now fine. |
I've found them to be [flaky](#6731 (comment)). We already [skip](#2130) some tests under Windows, so what's two more (especially only under Java 8, which I didn't include when setting up [Windows CI](#2686) and which I was testing only as part of #6634)? RELNOTES=n/a PiperOrigin-RevId: 568645480
I've found them to be [flaky](#6731 (comment)). We already [skip](#2130) some tests under Windows, so what's two more (especially only under Java 8, which I didn't include when setting up [Windows CI](#2686) and which I was testing only as part of #6634)? RELNOTES=n/a PiperOrigin-RevId: 570103461
…_services_ (at least under JDK 9+), a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). (The fix actually covers only Java 9+ because Java 8 would require an additional approach. Let us know if you need support under Java 8.) PiperOrigin-RevId: 568604081
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. (I don't remember whether I investigated removing the `sonatype-oss-release` configuration instead. Probably I should have at least investigated.) So I'm doing the same for Guava in this CL. Hopefully this won't interfere with _snapshot_ source jars, which currently are produced even without `source:jar` but might no longer be. If it does cause problems, then I should _definitely_ investigate removing the `sonatype-oss-release` configuration instead. (Encouragingly, [jimfs snapshots](https://oss.sonatype.org/content/repositories/snapshots/com/google/jimfs/jimfs/HEAD-SNAPSHOT/) appear to be fine... _but_ jimfs [still passes `source:jar`](https://github.com/google/jimfs/blob/acb81e8718adf2527be105c6c9b130ec788c9877/.github/workflows/ci.yml#L81).... So I do somewhat expect this to blow up—but, on the bright side, to also teach me something, at which point maybe we can get the config right for both these projects and others to come.) (I went to check whether `guava-*-source.jar` was still being generated in my test release. But somehow I see _no_ jars under `guava/target`, even as I see all(?) the expected ones under `guava-testlib`, etc. I wonder if the release script did a little housekeeping? Sigh, this is really going to blow up, isn't it?) (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 571437790
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. I don't remember whether I investigated removing jimfs' `sonatype-oss-release` configuration instead. Probably I should have at least investigated, since that's what we're going with here. As best I can tell, this doesn't interfere with _snapshot_ source jars, which are produced even without `source:jar`. (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 571437790
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. I don't remember whether I investigated removing jimfs' `sonatype-oss-release` configuration instead. Probably I should have at least investigated, since that's what we're going with here. As best I can tell, this doesn't interfere with _snapshot_ source jars, which are produced even without `source:jar`. (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 572327204
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. I don't remember whether I investigated removing jimfs' `sonatype-oss-release` configuration instead. Probably I should have at least investigated, since that's what we're going with here. As best I can tell, this doesn't interfere with _snapshot_ source jars, which are produced even without `source:jar`. (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 572327204
For anyone who's following here but not following our repo as a whole: The fix for this is part of last week's https://github.com/google/guava/releases/tag/v32.1.3. If you see any problems with that version, please let us know. |
Hello I rencently upgraded from 31.1-jre to 32.0.1-jre.
FYI 32.0.0-jre was KO because of the then-corrected-in-32.0.1-jre error: java.lang.UnsupportedOperationException: 'posix:permissions' not supported as initial attribute. So let's not talk about this version.
In 32.0.1-jre the method Files.createTempDir() has been modified and a program RUNNING ON WINDOWS is now unable to delete its own folders created by this call.
Here is a sample creating a folder with java's own "createTempDirectory" and deleting it (this works fine) and then the same with Guava and it cannot delete it's own folder created with guava.
Here are the (desidentified) trace and there is a huge difference beween both calls:
The text was updated successfully, but these errors were encountered: