From Guava 32.0.1-jre, Files.createTempDir() and FileBackedOutputStream can fail or create un-deletable directories/files when used from a Windows service #6634
Comments
|
Thanks for all the details. At first glance, I'm puzzled: We test that we can delete the directory, and we have had our tests running under Windows. We have also tested manually under Windows, as have other users, and we've heard of apps that started working again at 32.0.1. So there must be some variation between systems that accounts for this. One thing that I'd wondered was whether the system property One frustrating part of this is that we might not need to set explicit permissions at all: The Windows temporary directory is very likely to be secure, and the Java's Linux implementation appears to set restricted permissions by default (but its docs are coy about this). Maybe I should just rip out all the permissions code. I've been hesitant to do so because it would look quite bad if such a change somehow reintroduced the security bug. (And of course now we've already had a bunch of releases in quick succession....) Does anything about the username issue give you any ideas? Does anyone else have thoughts? |
|
Does that sound like the situation you're in? Hmm, and regardless, could you have a look at the "e:\xxxxxxx\target" directory and see if it's world-readable? If it's world-readable, then that shows that we do need to set directory permissions for maximum security in this case. If it's not, then that's another data point in favor of the idea that the Windows temporary directory is always secure. |
|
Hello cpovirk, I'm sorry I should really have mentionned a few things first in my report: I added this code in the program to obtain the username: and it leads to this output: (yes, COMPUTERNAME is uppercase here where it is lowercase in the ACL list) Here are the info regarding the 'target' directory rights: it seems world-readable: |
|
Wow, I don't even remember hearing about the At this point, I would love to get away with keeping things as they are. And we might get away with it if you're in a position to migrate off our method and onto Aside from my idea of mapping COMPUTERNAME$ to SYSTEM, I could also see making Guava read a system property (or maybe environment variable, which feels marginally safer, since Java doesn't let programs mutate environment variables) that lets you disable setting the ACL. Would you be in a position to set the system property or environment variable? And, similarly, for the idea of rewriting user.name: Are you able to test running your Java app with |
|
I'm sure there's context I'm not remembering, but just to double-check: did we determine that it is in fact necessary to explicitly set the ACL when creating temp dirs on Windows, as opposed to passing no |
|
Hello, to cgdecker: I'm not in Guava team but I know that the default windows temp dir is user-specific. So from my (limited) point of view, there is not really a need to set anything specific. In my case I explicitly tell Java to use another dir (through to cpovirk 1-: please do not modify anything for me. I already simply moved my tests away from using Guava's to cpovirk 2-: you were right, launching my tests with for the record, the problem mentioned in JENKINS-71375 is specific to version 32.0.0-jre and was corrected in 32.0.1-jre and I think that only daemon services (and maybe especially the ones changing the default temp dir like I did) will be hurt with the same bug as described here. |
|
Thanks for the additional details and testing. It does seem extremely likely that plain I'm going to re-title this bug to reflect that it applies just to the daemon case. If we end up hearing from more affected users, we can reevaluate. Thanks for your flexibility. |
cpovirk
changed the title
|
@cpovirk windows version trying to workarround by setting |
|
Across various OSs, there are different environment variable names for username. For example, USERNAME in Windows and USER in Linux. |
|
Thanks. Are any of the Windows Services users in a position to see what |
|
I'm going to implement that approach now, since the Stack Overflow question sounds like just the same situation. |
…_services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
Fix `Files.createTempDir` and `FileBackedOutputStream` under Windows _services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
…ting Fix `Files.createTempDir` and `FileBackedOutputStream` under Windows _services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
…_services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
…_services_, a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). PiperOrigin-RevId: 568604081
|
Which version of Java are those of you who are affected using? The fix I've been working on would work for Java 9+. If you need support for Java 8, then I would need to add another fix specific to that case. |
|
thanks @cpovirk , I'm using Java11 |
|
thanks @cpovirk , we are using java 17 LTS |
cpovirk
changed the title
|
Thanks, I'll stick with the Java 9+ solution for now, then. Also, I've retitled this bug to reflect that even creating the directories can fail. If all goes well, I'll submit the fix this week. Then it's just a question of how soon we do a release. How did the workaround of setting |
|
Aside: Somehow my Google search for "ProcessHandle.current().info().user().get()" turns up only one web page. Luckily, my earlier, different search had turned up the Stack Overflow answer with that content anyway... somehow. This was almost as bad as finding a web page that explains how to set an ACL in the first place :) |
|
Copy pasting from a previous message above, it seems the user.name workaround worked well in my tests at the time ;)
|
|
Oops, sorry, I'd seen that but had wanted to check with @Uli-Tiger, since this new problem was slightly different. But I do still expect your workaround to address it. |
Because the java process is launched from another process, i couldn't easily inject that system property. Instead i just let the Jenkins service run with an ordinary Admin User instead of the local service account. That works now fine. |
I've found them to be [flaky](#6731 (comment)). We already [skip](#2130) some tests under Windows, so what's two more (especially only under Java 8, which I didn't include when setting up [Windows CI](#2686) and which I was testing only as part of #6634)? RELNOTES=n/a PiperOrigin-RevId: 568645480
I've found them to be [flaky](#6731 (comment)). We already [skip](#2130) some tests under Windows, so what's two more (especially only under Java 8, which I didn't include when setting up [Windows CI](#2686) and which I was testing only as part of #6634)? RELNOTES=n/a PiperOrigin-RevId: 570103461
…_services_ (at least under JDK 9+), a rare use case. Fixes #6634 Relevant to #2686 in that it shows that we would ideally run our Windows testing under both Java 8 *and* a newer version.... RELNOTES=`io`: Fixed `Files.createTempDir` and `FileBackedOutputStream` under [Windows _services_, a rare use case](#6634). (The fix actually covers only Java 9+ because Java 8 would require an additional approach. Let us know if you need support under Java 8.) PiperOrigin-RevId: 568604081
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. (I don't remember whether I investigated removing the `sonatype-oss-release` configuration instead. Probably I should have at least investigated.) So I'm doing the same for Guava in this CL. Hopefully this won't interfere with _snapshot_ source jars, which currently are produced even without `source:jar` but might no longer be. If it does cause problems, then I should _definitely_ investigate removing the `sonatype-oss-release` configuration instead. (Encouragingly, [jimfs snapshots](https://oss.sonatype.org/content/repositories/snapshots/com/google/jimfs/jimfs/HEAD-SNAPSHOT/) appear to be fine... _but_ jimfs [still passes `source:jar`](https://github.com/google/jimfs/blob/acb81e8718adf2527be105c6c9b130ec788c9877/.github/workflows/ci.yml#L81).... So I do somewhat expect this to blow up—but, on the bright side, to also teach me something, at which point maybe we can get the config right for both these projects and others to come.) (I went to check whether `guava-*-source.jar` was still being generated in my test release. But somehow I see _no_ jars under `guava/target`, even as I see all(?) the expected ones under `guava-testlib`, etc. I wonder if the release script did a little housekeeping? Sigh, this is really going to blow up, isn't it?) (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 571437790
cpovirk
changed the title
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. I don't remember whether I investigated removing jimfs' `sonatype-oss-release` configuration instead. Probably I should have at least investigated, since that's what we're going with here. As best I can tell, this doesn't interfere with _snapshot_ source jars, which are produced even without `source:jar`. (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 571437790
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. I don't remember whether I investigated removing jimfs' `sonatype-oss-release` configuration instead. Probably I should have at least investigated, since that's what we're going with here. As best I can tell, this doesn't interfere with _snapshot_ source jars, which are produced even without `source:jar`. (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 572327204
``` Building and deploying the android flavor (this may take a while)... [ERROR] We have duplicated artifacts attached. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar (attach-sources) on project guava: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them. -> [Help 1] ``` I had fixed the same issue with _snapshot_ deployment in cl/559489724 (by no longer passing `source:jar` to `mvn`), but apparently that fix doesn't apply to _release_ deployment. I'm guessing that the relevant part of our release command is `-Psonatype-oss-release`, which (among other things) [activates a `maven-source-plugin` configuration change](https://github.com/google/guava/blob/a78bea41aedba50469641968ee3d98b24836e491/pom.xml#L329-L334): Presumably that introduces a second `maven-source-plugn` execution in much the same way as passing `source:jar` does. I previously fixed a similar problem in jimfs (cl/536746714) by removing the "normal" `maven-source-plugin` configuration, leaving only the `sonatype-oss-release` configuration in the parent. I don't remember whether I investigated removing jimfs' `sonatype-oss-release` configuration instead. Probably I should have at least investigated, since that's what we're going with here. As best I can tell, this doesn't interfere with _snapshot_ source jars, which are produced even without `source:jar`. (Notice that the configuration that may be the source of the problem was copied from the old `oss-parent` pom. This is at least the second time that that pom's configuration has caused us trouble, the other I recall being cl/492304151—well, and probably the aforementioned jimfs source-jar issue, too.) This prepares for the release that contains the fix for #6634, among other issues. RELNOTES=n/a PiperOrigin-RevId: 572327204
|
For anyone who's following here but not following our repo as a whole: The fix for this is part of last week's https://github.com/google/guava/releases/tag/v32.1.3. If you see any problems with that version, please let us know. |
Hello I rencently upgraded from 31.1-jre to 32.0.1-jre.
FYI 32.0.0-jre was KO because of the then-corrected-in-32.0.1-jre error: java.lang.UnsupportedOperationException: 'posix:permissions' not supported as initial attribute. So let's not talk about this version.
In 32.0.1-jre the method Files.createTempDir() has been modified and a program RUNNING ON WINDOWS is now unable to delete its own folders created by this call.
Here is a sample creating a folder with java's own "createTempDirectory" and deleting it (this works fine) and then the same with Guava and it cannot delete it's own folder created with guava.
Here are the (desidentified) trace and there is a huge difference beween both calls:
The text was updated successfully, but these errors were encountered: