You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/24 14:33:37 UTC

[lucene-solr] branch branch_8x updated: SOLR-13984: add (experimental, disabled by default) security manager support (#1082)

This is an automated email from the ASF dual-hosted git repository.

rmuir pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/branch_8x by this push:
     new 89d88de  SOLR-13984: add (experimental, disabled by default) security manager support (#1082)
89d88de is described below

commit 89d88de5c2998b3c1bb393113931cc686cfabc2b
Author: Robert Muir <rm...@apache.org>
AuthorDate: Tue Dec 24 06:30:31 2019 -0800

    SOLR-13984: add (experimental, disabled by default) security manager support (#1082)
    
    * SOLR-13984: add (experimental, disabled by default) security manager support.
    
    User can set SOLR_SECURITY_MANAGER_ENABLED=true to enable security manager at runtime.
    
    The current policy file used by tests is moved to solr/server
    Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled.
    
    This takes advantage of the fact that permission entries are ignored if properties are not defined:
    https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
---
 solr/bin/solr                                      | 16 +++++++--
 solr/bin/solr.cmd                                  | 13 +++++--
 solr/bin/solr.in.cmd                               |  6 ++++
 solr/bin/solr.in.sh                                |  6 ++++
 solr/common-build.xml                              |  2 +-
 .../server/etc/security.policy                     | 40 +++++++++++++++++++++-
 solr/server/etc/security.properties                | 24 +++++++++++++
 7 files changed, 100 insertions(+), 7 deletions(-)

diff --git a/solr/bin/solr b/solr/bin/solr
index 5e11b69..3b0d078 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -715,7 +715,7 @@ function jetty_port() {
 function run_tool() {
 
   "$JAVA" $SOLR_SSL_OPTS $AUTHC_OPTS $SOLR_ZK_CREDS_AND_ACLS -Dsolr.install.dir="$SOLR_TIP" \
-    -Dlog4j.configurationFile="file:$DEFAULT_SERVER_DIR/resources/log4j2-console.xml" \
+    -Dlog4j.configurationFile="$DEFAULT_SERVER_DIR/resources/log4j2-console.xml" \
     -classpath "$DEFAULT_SERVER_DIR/solr-webapp/webapp/WEB-INF/lib/*:$DEFAULT_SERVER_DIR/lib/ext/*:$DEFAULT_SERVER_DIR/lib/*" \
     org.apache.solr.util.SolrCLI "$@"
 
@@ -1951,7 +1951,7 @@ fi
 
 LOG4J_CONFIG=()
 if [ -n "$LOG4J_PROPS" ]; then
-  LOG4J_CONFIG+=("-Dlog4j.configurationFile=file:$LOG4J_PROPS")
+  LOG4J_CONFIG+=("-Dlog4j.configurationFile=$LOG4J_PROPS")
 fi
 
 if [ "$SCRIPT_CMD" == "stop" ]; then
@@ -2080,6 +2080,16 @@ else
   REMOTE_JMX_OPTS=()
 fi
 
+# Enable java security manager (limiting filesystem access and other things)
+if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
+  SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
+    "-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
+    "-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
+    '-Dsolr.internal.network.permission=*')
+else
+  SECURITY_MANAGER_OPTS=()
+fi
+
 JAVA_MEM_OPTS=()
 if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
   JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
@@ -2189,7 +2199,7 @@ function start_solr() {
     "-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
     "${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
     "-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
-    "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}")
+    "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}")
 
   if [ "$SOLR_MODE" == "solrcloud" ]; then
     IN_CLOUD_MODE=" in SolrCloud mode"
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 48311ca..fe81694 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -1001,7 +1001,7 @@ set "EXAMPLE_DIR=%SOLR_TIP%\example"
 set TMP_SOLR_HOME=!SOLR_HOME:%EXAMPLE_DIR%=!
 IF NOT "%TMP_SOLR_HOME%"=="%SOLR_HOME%" (
   set "SOLR_LOGS_DIR=%SOLR_HOME%\..\logs"
-  set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
+  set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
 )
 
 set IS_RESTART=0
@@ -1175,6 +1175,14 @@ IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
   set REMOTE_JMX_OPTS=
 )
 
+REM Enable java security manager (limiting filesystem access and other things)
+IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
+  set SECURITY_MANAGER_OPTS=-Djava.security.manager ^
+-Djava.security.policy="%SOLR_SERVER_DIR%\etc\security.policy" ^
+-Djava.security.properties="%SOLR_SERVER_DIR%\etc\security.properties" ^
+-Dsolr.internal.network.permission=*
+)
+
 IF NOT "%SOLR_HEAP%"=="" set SOLR_JAVA_MEM=-Xms%SOLR_HEAP% -Xmx%SOLR_HEAP%
 IF "%SOLR_JAVA_MEM%"=="" set SOLR_JAVA_MEM=-Xms512m -Xmx512m
 IF "%SOLR_JAVA_STACK_SIZE%"=="" set SOLR_JAVA_STACK_SIZE=-Xss256k
@@ -1267,6 +1275,7 @@ IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
 IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
 IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
 IF NOT "%SOLR_OPTS%"=="" set "START_OPTS=%START_OPTS% %SOLR_OPTS%"
+IF NOT "!SECURITY_MANAGER_OPTS!"=="" set "START_OPTS=%START_OPTS% !SECURITY_MANAGER_OPTS!"
 IF "%SOLR_SSL_ENABLED%"=="true" (
   set "SSL_PORT_PROP=-Dsolr.jetty.https.port=%SOLR_PORT%"
   set "START_OPTS=%START_OPTS% %SOLR_SSL_OPTS% !SSL_PORT_PROP!"
@@ -1278,7 +1287,7 @@ set SOLR_DATA_HOME_QUOTED="%SOLR_DATA_HOME%"
 
 set "START_OPTS=%START_OPTS% -Dsolr.log.dir=%SOLR_LOGS_DIR_QUOTED%"
 IF NOT "%SOLR_DATA_HOME%"=="" set "START_OPTS=%START_OPTS% -Dsolr.data.home=%SOLR_DATA_HOME_QUOTED%"
-IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
+IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
 
 cd /d "%SOLR_SERVER_DIR%"
 
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index 61524c1..3bb8fef 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -188,3 +188,9 @@ REM For a visual indication in the Admin UI of what type of environment this clu
 REM a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
 REM label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
 REM SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
+
+REM Runs solr in a java security manager sandbox. This can protect against some attacks.
+REM Runtime properties are passed to the security policy file (server\etc\security.policy)
+REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
+REM This is experimental! It may not work at all with Hadoop/HDFS features.
+REM set SOLR_SECURITY_MANAGER_ENABLED=false
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index d1a921f..d843ba2 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -216,3 +216,9 @@
 # a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
 # label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
 #SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
+
+# Runs solr in java security manager sandbox. This can protect against some attacks.
+# Runtime properties are passed to the security policy file (server/etc/security.policy)
+# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
+# This is experimental! It may not work at all with Hadoop/HDFS features.
+#SOLR_SECURITY_MANAGER_ENABLED=false
diff --git a/solr/common-build.xml b/solr/common-build.xml
index 7b88395..f44bc6f 100644
--- a/solr/common-build.xml
+++ b/solr/common-build.xml
@@ -38,7 +38,7 @@
   <property name="maven.dist.dir" location="${package.dir}/maven"/>
   <property name="lucene-libs" location="${dest}/lucene-libs" />
   <property name="tests.userdir" location="src/test-files"/>
-  <property name="tests.policy" location="${common-solr.dir}/../lucene/tools/junit4/solr-tests.policy"/>
+  <property name="tests.policy" location="${common-solr.dir}/server/etc/security.policy"/>
   <property name="server.dir" location="${common-solr.dir}/server" />
   <property name="example" location="${common-solr.dir}/example" />
   <property name="javadoc.dir" location="${dest}/docs"/>
diff --git a/lucene/tools/junit4/solr-tests.policy b/solr/server/etc/security.policy
similarity index 79%
rename from lucene/tools/junit4/solr-tests.policy
rename to solr/server/etc/security.policy
index b178d6b..bcf82b9 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/solr/server/etc/security.policy
@@ -15,8 +15,10 @@
  * limitations under the License.
  */
 
-// Policy file for solr tests. Please keep minimal and avoid wildcards.
+// Policy file for solr. Please keep minimal and avoid wildcards.
 
+// permissions needed for tests to pass, based on properties set by the build system
+// NOTE: if the property is not set, the permission entry is ignored.
 grant {
   // contain read access to only what we need:
   // 3rd party jar resources (where symlinks are not supported), test-files/ resources
@@ -163,3 +165,39 @@ grant {
   // used by solr to create sandboxes (e.g. script execution)
   permission java.security.SecurityPermission "createAccessControlContext";
 };
+
+// additional permissions based on system properties set by /bin/solr
+// NOTE: if the property is not set, the permission entry is ignored.
+grant {
+  permission java.io.FilePermission "${hadoop.security.credential.provider.path}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${hadoop.security.credential.provider.path}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.jetty.keystore}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.jetty.keystore}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.jetty.truststore}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.jetty.truststore}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.install.dir}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.install.dir}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${jetty.home}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${jetty.home}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.solr.home}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.solr.home}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.data.home}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.data.home}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.default.confdir}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.default.confdir}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${log4j.configurationFile}", "read,write,delete,readlink";
+
+  // expanded to a wildcard if set, allows all networking everywhere
+  permission java.net.SocketPermission "${solr.internal.network.permission}", "accept,listen,connect,resolve";
+};
diff --git a/solr/server/etc/security.properties b/solr/server/etc/security.properties
new file mode 100644
index 0000000..7f196a8
--- /dev/null
+++ b/solr/server/etc/security.properties
@@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# command-line security properties file
+#
+# By default, when enabling security manager, DNS lookups are cached indefinitely,
+# as protection against DNS spoofing.  We set this back to the default (non-security-manager)
+# value of 30 seconds, to prevent surprising behavior (e.g. nodes in cloud environments without
+# static IP addresses). Users concerned about DNS spoofing should instead follow best practices:
+# populating solr.shardsWhitelist, enabling TLS, etc.
+networkaddress.cache.ttl=30