You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/24 14:33:37 UTC
[lucene-solr] branch branch_8x updated: SOLR-13984: add
(experimental, disabled by default) security manager support (#1082)
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 89d88de SOLR-13984: add (experimental, disabled by default) security manager support (#1082)
89d88de is described below
commit 89d88de5c2998b3c1bb393113931cc686cfabc2b
Author: Robert Muir <rm...@apache.org>
AuthorDate: Tue Dec 24 06:30:31 2019 -0800
SOLR-13984: add (experimental, disabled by default) security manager support (#1082)
* SOLR-13984: add (experimental, disabled by default) security manager support.
User can set SOLR_SECURITY_MANAGER_ENABLED=true to enable security manager at runtime.
The current policy file used by tests is moved to solr/server
Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled.
This takes advantage of the fact that permission entries are ignored if properties are not defined:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
---
solr/bin/solr | 16 +++++++--
solr/bin/solr.cmd | 13 +++++--
solr/bin/solr.in.cmd | 6 ++++
solr/bin/solr.in.sh | 6 ++++
solr/common-build.xml | 2 +-
.../server/etc/security.policy | 40 +++++++++++++++++++++-
solr/server/etc/security.properties | 24 +++++++++++++
7 files changed, 100 insertions(+), 7 deletions(-)
diff --git a/solr/bin/solr b/solr/bin/solr
index 5e11b69..3b0d078 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -715,7 +715,7 @@ function jetty_port() {
function run_tool() {
"$JAVA" $SOLR_SSL_OPTS $AUTHC_OPTS $SOLR_ZK_CREDS_AND_ACLS -Dsolr.install.dir="$SOLR_TIP" \
- -Dlog4j.configurationFile="file:$DEFAULT_SERVER_DIR/resources/log4j2-console.xml" \
+ -Dlog4j.configurationFile="$DEFAULT_SERVER_DIR/resources/log4j2-console.xml" \
-classpath "$DEFAULT_SERVER_DIR/solr-webapp/webapp/WEB-INF/lib/*:$DEFAULT_SERVER_DIR/lib/ext/*:$DEFAULT_SERVER_DIR/lib/*" \
org.apache.solr.util.SolrCLI "$@"
@@ -1951,7 +1951,7 @@ fi
LOG4J_CONFIG=()
if [ -n "$LOG4J_PROPS" ]; then
- LOG4J_CONFIG+=("-Dlog4j.configurationFile=file:$LOG4J_PROPS")
+ LOG4J_CONFIG+=("-Dlog4j.configurationFile=$LOG4J_PROPS")
fi
if [ "$SCRIPT_CMD" == "stop" ]; then
@@ -2080,6 +2080,16 @@ else
REMOTE_JMX_OPTS=()
fi
+# Enable java security manager (limiting filesystem access and other things)
+if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
+ SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
+ "-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
+ "-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
+ '-Dsolr.internal.network.permission=*')
+else
+ SECURITY_MANAGER_OPTS=()
+fi
+
JAVA_MEM_OPTS=()
if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
@@ -2189,7 +2199,7 @@ function start_solr() {
"-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
"-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
- "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}")
+ "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}")
if [ "$SOLR_MODE" == "solrcloud" ]; then
IN_CLOUD_MODE=" in SolrCloud mode"
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 48311ca..fe81694 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -1001,7 +1001,7 @@ set "EXAMPLE_DIR=%SOLR_TIP%\example"
set TMP_SOLR_HOME=!SOLR_HOME:%EXAMPLE_DIR%=!
IF NOT "%TMP_SOLR_HOME%"=="%SOLR_HOME%" (
set "SOLR_LOGS_DIR=%SOLR_HOME%\..\logs"
- set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
+ set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
)
set IS_RESTART=0
@@ -1175,6 +1175,14 @@ IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
set REMOTE_JMX_OPTS=
)
+REM Enable java security manager (limiting filesystem access and other things)
+IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
+ set SECURITY_MANAGER_OPTS=-Djava.security.manager ^
+-Djava.security.policy="%SOLR_SERVER_DIR%\etc\security.policy" ^
+-Djava.security.properties="%SOLR_SERVER_DIR%\etc\security.properties" ^
+-Dsolr.internal.network.permission=*
+)
+
IF NOT "%SOLR_HEAP%"=="" set SOLR_JAVA_MEM=-Xms%SOLR_HEAP% -Xmx%SOLR_HEAP%
IF "%SOLR_JAVA_MEM%"=="" set SOLR_JAVA_MEM=-Xms512m -Xmx512m
IF "%SOLR_JAVA_STACK_SIZE%"=="" set SOLR_JAVA_STACK_SIZE=-Xss256k
@@ -1267,6 +1275,7 @@ IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
IF NOT "%SOLR_OPTS%"=="" set "START_OPTS=%START_OPTS% %SOLR_OPTS%"
+IF NOT "!SECURITY_MANAGER_OPTS!"=="" set "START_OPTS=%START_OPTS% !SECURITY_MANAGER_OPTS!"
IF "%SOLR_SSL_ENABLED%"=="true" (
set "SSL_PORT_PROP=-Dsolr.jetty.https.port=%SOLR_PORT%"
set "START_OPTS=%START_OPTS% %SOLR_SSL_OPTS% !SSL_PORT_PROP!"
@@ -1278,7 +1287,7 @@ set SOLR_DATA_HOME_QUOTED="%SOLR_DATA_HOME%"
set "START_OPTS=%START_OPTS% -Dsolr.log.dir=%SOLR_LOGS_DIR_QUOTED%"
IF NOT "%SOLR_DATA_HOME%"=="" set "START_OPTS=%START_OPTS% -Dsolr.data.home=%SOLR_DATA_HOME_QUOTED%"
-IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
+IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
cd /d "%SOLR_SERVER_DIR%"
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index 61524c1..3bb8fef 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -188,3 +188,9 @@ REM For a visual indication in the Admin UI of what type of environment this clu
REM a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
REM label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
REM SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
+
+REM Runs solr in a java security manager sandbox. This can protect against some attacks.
+REM Runtime properties are passed to the security policy file (server\etc\security.policy)
+REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
+REM This is experimental! It may not work at all with Hadoop/HDFS features.
+REM set SOLR_SECURITY_MANAGER_ENABLED=false
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index d1a921f..d843ba2 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -216,3 +216,9 @@
# a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
# label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
#SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
+
+# Runs solr in java security manager sandbox. This can protect against some attacks.
+# Runtime properties are passed to the security policy file (server/etc/security.policy)
+# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
+# This is experimental! It may not work at all with Hadoop/HDFS features.
+#SOLR_SECURITY_MANAGER_ENABLED=false
diff --git a/solr/common-build.xml b/solr/common-build.xml
index 7b88395..f44bc6f 100644
--- a/solr/common-build.xml
+++ b/solr/common-build.xml
@@ -38,7 +38,7 @@
<property name="maven.dist.dir" location="${package.dir}/maven"/>
<property name="lucene-libs" location="${dest}/lucene-libs" />
<property name="tests.userdir" location="src/test-files"/>
- <property name="tests.policy" location="${common-solr.dir}/../lucene/tools/junit4/solr-tests.policy"/>
+ <property name="tests.policy" location="${common-solr.dir}/server/etc/security.policy"/>
<property name="server.dir" location="${common-solr.dir}/server" />
<property name="example" location="${common-solr.dir}/example" />
<property name="javadoc.dir" location="${dest}/docs"/>
diff --git a/lucene/tools/junit4/solr-tests.policy b/solr/server/etc/security.policy
similarity index 79%
rename from lucene/tools/junit4/solr-tests.policy
rename to solr/server/etc/security.policy
index b178d6b..bcf82b9 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/solr/server/etc/security.policy
@@ -15,8 +15,10 @@
* limitations under the License.
*/
-// Policy file for solr tests. Please keep minimal and avoid wildcards.
+// Policy file for solr. Please keep minimal and avoid wildcards.
+// permissions needed for tests to pass, based on properties set by the build system
+// NOTE: if the property is not set, the permission entry is ignored.
grant {
// contain read access to only what we need:
// 3rd party jar resources (where symlinks are not supported), test-files/ resources
@@ -163,3 +165,39 @@ grant {
// used by solr to create sandboxes (e.g. script execution)
permission java.security.SecurityPermission "createAccessControlContext";
};
+
+// additional permissions based on system properties set by /bin/solr
+// NOTE: if the property is not set, the permission entry is ignored.
+grant {
+ permission java.io.FilePermission "${hadoop.security.credential.provider.path}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${hadoop.security.credential.provider.path}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.jetty.keystore}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.jetty.keystore}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.jetty.truststore}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.jetty.truststore}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.install.dir}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.install.dir}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${jetty.home}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${jetty.home}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.solr.home}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.solr.home}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.data.home}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.data.home}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.default.confdir}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.default.confdir}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${log4j.configurationFile}", "read,write,delete,readlink";
+
+ // expanded to a wildcard if set, allows all networking everywhere
+ permission java.net.SocketPermission "${solr.internal.network.permission}", "accept,listen,connect,resolve";
+};
diff --git a/solr/server/etc/security.properties b/solr/server/etc/security.properties
new file mode 100644
index 0000000..7f196a8
--- /dev/null
+++ b/solr/server/etc/security.properties
@@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# command-line security properties file
+#
+# By default, when enabling security manager, DNS lookups are cached indefinitely,
+# as protection against DNS spoofing. We set this back to the default (non-security-manager)
+# value of 30 seconds, to prevent surprising behavior (e.g. nodes in cloud environments without
+# static IP addresses). Users concerned about DNS spoofing should instead follow best practices:
+# populating solr.shardsWhitelist, enabling TLS, etc.
+networkaddress.cache.ttl=30