如何防止Java应用程序在GNU/Linux上执行流程？

发布于 2025-01-20 04:05:55 字数 361 浏览 3 评论 0 原文

换句话说，现代GNU/Linux或JVM（理想情况下是Java 11+）是否能够防止Java过程执行其他过程？

诸如Log4shell和Spring4shell之类的问题似乎是可能的，因为JVM允许Java应用程序执行其他程序。

在操作系统级别上，我想可能有一些过程隔离，监狱等，是否有完整的例子？

JVM本身怎么样？使用“ nofollow noreferrer”>安全管理器在最近的版本中消失了，还有哪些选项可以使Java Virtual Machine硬化？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

半边脸i 2025-01-27 04:05:55

我不确定是否有一个好方法可以做到这一点。
如 rlimit_nproc 限制。

但是，不要为您的Java应用程序这样做 - 您会破坏它。
线程只是Linux上的一种特殊类型，如果限制NPROC，则无法创建新线程。

在运行的Java应用程序上观察此行为

prlimit
...
NPROC      max number of processes                15107     15107 processes

prlimit --pid $(pgrep java) --nproc=10

，然后在Java应用程序的Stdout上

[9816123.415s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 2048k, guardsize: 0k, detached.

观察此行为，我尝试了在Docker容器中运行的生产应用程序。

请注意，如果您的过程作为root 运行，则 nproc限制不会执行。

此外，使用简单的clojure repl（或IT的jshell变体）重现它非常容易：

# start a clojure/java process
user=> (require '[clojure.java.shell :as sh])

user=> (dotimes [i 100] (future (sh/sh "sleep" "2")))
nil


# then get change the nproc limit for the process - make sure to pass proper pid
prlimit --pid 2769227 --nproc=99

# then again in the Clojure REPL: 
user=> (dotimes [i 100] (future (sh/sh "sleep" "2")))
[200.656s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.656s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.657s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.657s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.657s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
Execution error (OutOfMemoryError) at java.lang.Thread/start0 (Thread.java:-2).
unable to create native thread: possibly out of memory or process/resource limits reached

https://stackoverflow.com/questions/questions/27348744/prevent-frevent-frevent-forevent-frevent-frevent-frevent-frevent-frevent-frevent-frevent-frevent-frevent-frevent-

防止在子过程中分叉：防止子过程中的分叉
nproc是否处于限制。conf是指过程数量或线程数量？ https：https：https：https：
///unix.stackexchange.com/questions/322056/does-nproc-in-limits-conf-refers-conf-refers-to-number-of-processes-orpocesses-or-number-finreads linux 多个java webapps linux on Linux on Linux on linux on Linux total thread the linux in linux
prlimit prlimit：< a href =“ https://manpages.ubuntu.com/manpages/xenial/man1/prlimit.1.html” rel =“ nofollow noreferrer”> htttps://manpages.ubuntu.com/manpages/manpages/manpages/xenial/man1/prlimit-prlimit-prlimit-prlimit-prlimit- .1.html

I'm not sure there's a good way to do that.
As discussed in Prevent forking in a child process,
you can set RLIMIT_NPROC limit.

However, don't do that for your java app - you will break it.
Threads are just a special type of a process on Linux and if you restrict nproc you won't be able to create new threads.

Observe this behavior on a running java application

prlimit
...
NPROC      max number of processes                15107     15107 processes

prlimit --pid $(pgrep java) --nproc=10

Then on the stdout of the java app

[9816123.415s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 2048k, guardsize: 0k, detached.

I tried this for a production app running in a docker container.

Note that nproc limit isn't enforced if you the process is running as root.

Morever, it's quite easy to reproduce it with a simple Clojure REPL (or JShell variant of it):

# start a clojure/java process
user=> (require '[clojure.java.shell :as sh])

user=> (dotimes [i 100] (future (sh/sh "sleep" "2")))
nil


# then get change the nproc limit for the process - make sure to pass proper pid
prlimit --pid 2769227 --nproc=99

# then again in the Clojure REPL: 
user=> (dotimes [i 100] (future (sh/sh "sleep" "2")))
[200.656s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.656s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.657s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.657s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
[200.657s][warning][os,thread] Failed to start thread - pthread_create failed (EAGAIN) for attributes: stacksize: 1024k, guardsize: 0k, detached.
Execution error (OutOfMemoryError) at java.lang.Thread/start0 (Thread.java:-2).
unable to create native thread: possibly out of memory or process/resource limits reached

Resources: