Packager resolver - javadoc in restricted mode

[Stephen Woods <sw...@gmail.com>]

The packager resolver limits the types of ant commands a packager uses
to build its appropriate artifacts. Many of the source distributions
do not bundle pre-generated javadoc, but they do bundle source. It
would be nice to be able to run the javadoc ant task during the
packaging process in order to make javadoc artifacts without needing
to set the restricted attribute to "false". Is it even possible to
compromise a system by running javadoc?

Just a thought for future ivy releases...

Re: Packager resolver - javadoc in restricted mode

[Archie Cobbs <ar...@gmail.com>]

On Mon, Mar 23, 2009 at 12:50 PM, Stephen Woods <sw...@gmail.com> wrote:

> Unfortuantely, thats not how the packager resolver currently works.
> The packager downloads mini-ant build files (package.xml), runs an
> xslt transformation over them to make sure all of the ant tasks used
> are on the "blessed" list, and then executes the build. So execution
> isn't really from within a library where one could lock things down
> with security policies per se. Its not really the Ivy library that's
> calling the shots as to what can or cannot run, its the XSL
> transformation that is used to generate the final ant build script.
>

But the packager resolver does run the ant task within the same JVM, so
presumably whatever security policy was in place before would still apply.


> Then again, is it possible to run subant in a sandox, i.e. with its
> own java security Policy? I don't know... never looked into it. Has
> anyone tried to run ant from within a sandbox? Is it even possible?
>

It should be possible to run pretty much anything in a security sandbox,
with sufficient configuration.

I think it's the right idea to consider refactoring the packager resolver to
use Java security mechanisms instead of using an ant task blacklist. That
way we could e.g., allow any file operations as long as they were below the
build working directory. This would more precisely implement what we want.
Please file a feature request for this if you like.

-Archie

-- 
Archie L. Cobbs

Re: Packager resolver - javadoc in restricted mode

[Stephen Woods <sw...@gmail.com>]

Unfortuantely, thats not how the packager resolver currently works.
The packager downloads mini-ant build files (package.xml), runs an
xslt transformation over them to make sure all of the ant tasks used
are on the "blessed" list, and then executes the build. So execution
isn't really from within a library where one could lock things down
with security policies per se. Its not really the Ivy library that's
calling the shots as to what can or cannot run, its the XSL
transformation that is used to generate the final ant build script.

Then again, is it possible to run subant in a sandox, i.e. with its
own java security Policy? I don't know... never looked into it. Has
anyone tried to run ant from within a sandbox? Is it even possible?

On Mon, Mar 23, 2009 at 1:34 PM, Alan Chaney <al...@writingshow.com> wrote:
> Stephen and Archie
>
> Stephen Woods wrote:
>>
>> Good point... I didn't even consider that the existing allowable tasks
>> were already unsafe....
>>
>> On Mon, Mar 23, 2009 at 12:55 PM, Archie Cobbs <ar...@gmail.com>
>> wrote:
>>
>>>
>>> Oops, sorry I missed the last sentence of your email.
>>>
>>> You are right. What's required however is some kind of security policy
>>> and
>>> for each ant task we should allow, a security analysis of whether it is
>>> considered "safe" or not.
>>>
>>>
>
> Just leaping in here... Is it the responsibility of a library API (which is
> what Ivy is) to decide on the appropriate security policy of the application
> calling it. Java has a very sophisticated security policy mechanism. For
> example, with a few lines in a security descriptor you can restrict write
> access to
> specific areas in the filing system. Wouldn't it be better to try and use
> the tools already in the language? In the example below you could easily
> write
> policy which didn't allow the packager application to overwrite specific
> files.
>
> Apologies if this is missing the point - I just thought I'd raise it.
>
> Regards
>
> Alan Chaney
>
>>> For example, the <javadoc> task creates a bunch of files. What if someone
>>> configured it to write these files to /srv/www (or whatever your document
>>> root is) so that it overwrote your existing index.html? Etc.
>>>
>>> A larger issue is that the tasks that we currently do allow in "safe"
>>> mode
>>> are already questionably "safe". E.g., <move> and <copy> are already
>>> perfectly capable of obliterating any sensitive files you may have.
>>>
>>> So, it's worth thinking about the big picture. E.g., at one point I
>>> suggested getting rid of "safe" mode (because it's not really safe) and
>>> have
>>> things always work in "unrestricted" mode. But other folks didn't like
>>> that
>>> idea -- with good reason.
>>>
>>> In the short term, it's reasonable to suggest that since <javadoc> is no
>>> less safe than <move> or <copy> then it should be included as well. But
>>> before we go through each and every ant task maybe we should think about
>>> whether "safe" mode is really useful.
>>>
>>> -Archie
>>>
>>> On Mon, Mar 23, 2009 at 11:45 AM, Stephen Woods <sw...@gmail.com>
>>> wrote:
>>>
>>>
>>>>
>>>> Well, yeah... I know that you can just set restricted="false" - I said
>>>> as much. But this opens the flood gates for all kinds of malicious
>>>> behavior. As far as I know, javadoc should be safe enough to run in
>>>> restricted mode.
>>>>
>>>> It would be nice to be able to run javadoc _without_ having to set
>>>> restricted to "false".
>>>>
>>>>
>>>> On Mon, Mar 23, 2009 at 9:15 AM, Archie Cobbs <ar...@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> You can do this already. You just have to set restricted="false" in
>>>>> your
>>>>> configuration of the packager resolver. Documentation is
>>>>> here<
>>>>>
>>>>
>>>>
>>>> http://ant.apache.org/ivy/history/latest-milestone/resolver/packager.html>
>>>>
>>>>>
>>>>> .
>>>>>
>>>>> -Archie
>>>>>
>>>>> On Sun, Mar 22, 2009 at 2:28 PM, Stephen Woods <sw...@gmail.com>
>>>>>
>>>>
>>>> wrote:
>>>>
>>>>>>
>>>>>> The packager resolver limits the types of ant commands a packager uses
>>>>>> to build its appropriate artifacts. Many of the source distributions
>>>>>> do not bundle pre-generated javadoc, but they do bundle source. It
>>>>>> would be nice to be able to run the javadoc ant task during the
>>>>>> packaging process in order to make javadoc artifacts without needing
>>>>>> to set the restricted attribute to "false". Is it even possible to
>>>>>> compromise a system by running javadoc?
>>>>>>
>>>>>> Just a thought for future ivy releases...
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Archie L. Cobbs
>>>>>
>>>>>
>>>
>>> --
>>> Archie L. Cobbs
>>>
>>>
>>
>>
>> !DSPAM:49c7c630245372051017194!
>>
>>
>
>

Re: Packager resolver - javadoc in restricted mode

[Alan Chaney <al...@writingshow.com>]

Stephen and Archie

Stephen Woods wrote:
> Good point... I didn't even consider that the existing allowable tasks
> were already unsafe....
>
> On Mon, Mar 23, 2009 at 12:55 PM, Archie Cobbs <ar...@gmail.com> wrote:
>   
>> Oops, sorry I missed the last sentence of your email.
>>
>> You are right. What's required however is some kind of security policy and
>> for each ant task we should allow, a security analysis of whether it is
>> considered "safe" or not.
>>
>>     
Just leaping in here... Is it the responsibility of a library API (which 
is what Ivy is) to decide on the appropriate security policy of the 
application
calling it. Java has a very sophisticated security policy mechanism. For 
example, with a few lines in a security descriptor you can restrict 
write access to
specific areas in the filing system. Wouldn't it be better to try and 
use the tools already in the language? In the example below you could 
easily write
policy which didn't allow the packager application to overwrite specific 
files.

Apologies if this is missing the point - I just thought I'd raise it.

Regards

Alan Chaney

>> For example, the <javadoc> task creates a bunch of files. What if someone
>> configured it to write these files to /srv/www (or whatever your document
>> root is) so that it overwrote your existing index.html? Etc.
>>
>> A larger issue is that the tasks that we currently do allow in "safe" mode
>> are already questionably "safe". E.g., <move> and <copy> are already
>> perfectly capable of obliterating any sensitive files you may have.
>>
>> So, it's worth thinking about the big picture. E.g., at one point I
>> suggested getting rid of "safe" mode (because it's not really safe) and have
>> things always work in "unrestricted" mode. But other folks didn't like that
>> idea -- with good reason.
>>
>> In the short term, it's reasonable to suggest that since <javadoc> is no
>> less safe than <move> or <copy> then it should be included as well. But
>> before we go through each and every ant task maybe we should think about
>> whether "safe" mode is really useful.
>>
>> -Archie
>>
>> On Mon, Mar 23, 2009 at 11:45 AM, Stephen Woods <sw...@gmail.com> wrote:
>>
>>     
>>> Well, yeah... I know that you can just set restricted="false" - I said
>>> as much. But this opens the flood gates for all kinds of malicious
>>> behavior. As far as I know, javadoc should be safe enough to run in
>>> restricted mode.
>>>
>>> It would be nice to be able to run javadoc _without_ having to set
>>> restricted to "false".
>>>
>>>
>>> On Mon, Mar 23, 2009 at 9:15 AM, Archie Cobbs <ar...@gmail.com>
>>> wrote:
>>>       
>>>> You can do this already. You just have to set restricted="false" in your
>>>> configuration of the packager resolver. Documentation is
>>>> here<
>>>>         
>>> http://ant.apache.org/ivy/history/latest-milestone/resolver/packager.html>
>>>       
>>>> .
>>>>
>>>> -Archie
>>>>
>>>> On Sun, Mar 22, 2009 at 2:28 PM, Stephen Woods <sw...@gmail.com>
>>>>         
>>> wrote:
>>>       
>>>>> The packager resolver limits the types of ant commands a packager uses
>>>>> to build its appropriate artifacts. Many of the source distributions
>>>>> do not bundle pre-generated javadoc, but they do bundle source. It
>>>>> would be nice to be able to run the javadoc ant task during the
>>>>> packaging process in order to make javadoc artifacts without needing
>>>>> to set the restricted attribute to "false". Is it even possible to
>>>>> compromise a system by running javadoc?
>>>>>
>>>>> Just a thought for future ivy releases...
>>>>>
>>>>>           
>>>>
>>>> --
>>>> Archie L. Cobbs
>>>>
>>>>         
>>
>> --
>> Archie L. Cobbs
>>
>>     
>
>
> !DSPAM:49c7c630245372051017194!
>
>   

Re: Packager resolver - javadoc in restricted mode

[Stephen Woods <sw...@gmail.com>]

Good point... I didn't even consider that the existing allowable tasks
were already unsafe....

On Mon, Mar 23, 2009 at 12:55 PM, Archie Cobbs <ar...@gmail.com> wrote:
> Oops, sorry I missed the last sentence of your email.
>
> You are right. What's required however is some kind of security policy and
> for each ant task we should allow, a security analysis of whether it is
> considered "safe" or not.
>
> For example, the <javadoc> task creates a bunch of files. What if someone
> configured it to write these files to /srv/www (or whatever your document
> root is) so that it overwrote your existing index.html? Etc.
>
> A larger issue is that the tasks that we currently do allow in "safe" mode
> are already questionably "safe". E.g., <move> and <copy> are already
> perfectly capable of obliterating any sensitive files you may have.
>
> So, it's worth thinking about the big picture. E.g., at one point I
> suggested getting rid of "safe" mode (because it's not really safe) and have
> things always work in "unrestricted" mode. But other folks didn't like that
> idea -- with good reason.
>
> In the short term, it's reasonable to suggest that since <javadoc> is no
> less safe than <move> or <copy> then it should be included as well. But
> before we go through each and every ant task maybe we should think about
> whether "safe" mode is really useful.
>
> -Archie
>
> On Mon, Mar 23, 2009 at 11:45 AM, Stephen Woods <sw...@gmail.com> wrote:
>
>> Well, yeah... I know that you can just set restricted="false" - I said
>> as much. But this opens the flood gates for all kinds of malicious
>> behavior. As far as I know, javadoc should be safe enough to run in
>> restricted mode.
>>
>> It would be nice to be able to run javadoc _without_ having to set
>> restricted to "false".
>>
>>
>> On Mon, Mar 23, 2009 at 9:15 AM, Archie Cobbs <ar...@gmail.com>
>> wrote:
>> > You can do this already. You just have to set restricted="false" in your
>> > configuration of the packager resolver. Documentation is
>> > here<
>> http://ant.apache.org/ivy/history/latest-milestone/resolver/packager.html>
>> > .
>> >
>> > -Archie
>> >
>> > On Sun, Mar 22, 2009 at 2:28 PM, Stephen Woods <sw...@gmail.com>
>> wrote:
>> >
>> >> The packager resolver limits the types of ant commands a packager uses
>> >> to build its appropriate artifacts. Many of the source distributions
>> >> do not bundle pre-generated javadoc, but they do bundle source. It
>> >> would be nice to be able to run the javadoc ant task during the
>> >> packaging process in order to make javadoc artifacts without needing
>> >> to set the restricted attribute to "false". Is it even possible to
>> >> compromise a system by running javadoc?
>> >>
>> >> Just a thought for future ivy releases...
>> >>
>> >
>> >
>> >
>> > --
>> > Archie L. Cobbs
>> >
>>
>
>
>
> --
> Archie L. Cobbs
>

Re: Packager resolver - javadoc in restricted mode

[Archie Cobbs <ar...@gmail.com>]

Oops, sorry I missed the last sentence of your email.

You are right. What's required however is some kind of security policy and
for each ant task we should allow, a security analysis of whether it is
considered "safe" or not.

For example, the <javadoc> task creates a bunch of files. What if someone
configured it to write these files to /srv/www (or whatever your document
root is) so that it overwrote your existing index.html? Etc.

A larger issue is that the tasks that we currently do allow in "safe" mode
are already questionably "safe". E.g., <move> and <copy> are already
perfectly capable of obliterating any sensitive files you may have.

So, it's worth thinking about the big picture. E.g., at one point I
suggested getting rid of "safe" mode (because it's not really safe) and have
things always work in "unrestricted" mode. But other folks didn't like that
idea -- with good reason.

In the short term, it's reasonable to suggest that since <javadoc> is no
less safe than <move> or <copy> then it should be included as well. But
before we go through each and every ant task maybe we should think about
whether "safe" mode is really useful.

-Archie

On Mon, Mar 23, 2009 at 11:45 AM, Stephen Woods <sw...@gmail.com> wrote:

> Well, yeah... I know that you can just set restricted="false" - I said
> as much. But this opens the flood gates for all kinds of malicious
> behavior. As far as I know, javadoc should be safe enough to run in
> restricted mode.
>
> It would be nice to be able to run javadoc _without_ having to set
> restricted to "false".
>
>
> On Mon, Mar 23, 2009 at 9:15 AM, Archie Cobbs <ar...@gmail.com>
> wrote:
> > You can do this already. You just have to set restricted="false" in your
> > configuration of the packager resolver. Documentation is
> > here<
> http://ant.apache.org/ivy/history/latest-milestone/resolver/packager.html>
> > .
> >
> > -Archie
> >
> > On Sun, Mar 22, 2009 at 2:28 PM, Stephen Woods <sw...@gmail.com>
> wrote:
> >
> >> The packager resolver limits the types of ant commands a packager uses
> >> to build its appropriate artifacts. Many of the source distributions
> >> do not bundle pre-generated javadoc, but they do bundle source. It
> >> would be nice to be able to run the javadoc ant task during the
> >> packaging process in order to make javadoc artifacts without needing
> >> to set the restricted attribute to "false". Is it even possible to
> >> compromise a system by running javadoc?
> >>
> >> Just a thought for future ivy releases...
> >>
> >
> >
> >
> > --
> > Archie L. Cobbs
> >
>



-- 
Archie L. Cobbs

Re: Packager resolver - javadoc in restricted mode

[Stephen Woods <sw...@gmail.com>]

Well, yeah... I know that you can just set restricted="false" - I said
as much. But this opens the flood gates for all kinds of malicious
behavior. As far as I know, javadoc should be safe enough to run in
restricted mode.

It would be nice to be able to run javadoc _without_ having to set
restricted to "false".


On Mon, Mar 23, 2009 at 9:15 AM, Archie Cobbs <ar...@gmail.com> wrote:
> You can do this already. You just have to set restricted="false" in your
> configuration of the packager resolver. Documentation is
> here<http://ant.apache.org/ivy/history/latest-milestone/resolver/packager.html>
> .
>
> -Archie
>
> On Sun, Mar 22, 2009 at 2:28 PM, Stephen Woods <sw...@gmail.com> wrote:
>
>> The packager resolver limits the types of ant commands a packager uses
>> to build its appropriate artifacts. Many of the source distributions
>> do not bundle pre-generated javadoc, but they do bundle source. It
>> would be nice to be able to run the javadoc ant task during the
>> packaging process in order to make javadoc artifacts without needing
>> to set the restricted attribute to "false". Is it even possible to
>> compromise a system by running javadoc?
>>
>> Just a thought for future ivy releases...
>>
>
>
>
> --
> Archie L. Cobbs
>

Re: Packager resolver - javadoc in restricted mode

[Archie Cobbs <ar...@gmail.com>]

You can do this already. You just have to set restricted="false" in your
configuration of the packager resolver. Documentation is
here<http://ant.apache.org/ivy/history/latest-milestone/resolver/packager.html>
.

-Archie

On Sun, Mar 22, 2009 at 2:28 PM, Stephen Woods <sw...@gmail.com> wrote:

> The packager resolver limits the types of ant commands a packager uses
> to build its appropriate artifacts. Many of the source distributions
> do not bundle pre-generated javadoc, but they do bundle source. It
> would be nice to be able to run the javadoc ant task during the
> packaging process in order to make javadoc artifacts without needing
> to set the restricted attribute to "false". Is it even possible to
> compromise a system by running javadoc?
>
> Just a thought for future ivy releases...
>



-- 
Archie L. Cobbs